The plugin does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Make a logged in admin open https://example.com/wp-admin/admin.php?page=sr-assets&filter;_city_listing="> https://example.com/wp-admin/admin.php?page=sr-reservations&filter;_customer_fullname=“>&filter;_guest_fullname=”>&filter;_checkin_from=“>&filter;_checkin_to=”>&filter;_checkout_from=“>&filter;_checkout_to=”> Other pages & parameters are affected