Due to an incomplete fix of CVE-2020-16140 (see https://wpscan.com/vulnerability/10444), the reflected XSS attack is still possible on unauthenticated users, by extracting the search_nonce from the source of the homepage and adding it to the original payload. This is possible because WP nonces are tied to the logged in user ID, however in the case of unauthenticated users, their ID is 0 so they will have the same nonce generated.
Proof of Concept
Get the search_nonce from the source page, ie ttps://demo.thembay.com/greenmart
Add it to the payload URL via the security parameter: https://demo.thembay.com/greenmart/wp-admin/admin-ajax.php?callback=%3Csvg/onload=alert(/XSS/)%3E&action=greenmart_autocomplete_search&term=defaultText&security=448d6cbda2