The plugin did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
Proof of Concept
From an IP not in the Allow List (wp-admin/admin.php?page=ss_allow_list), make a request with a spam word, and add an XSS payload, such as ad" accesskey=X onclick=alert(1) "
An input such as ad">TEST can also be used to prove the injection which will result in TEST" /> being displayed in the page
This can be achieved via the wp-login.php form for example, either in the Username or Password fields.
POST /wp-login.php HTTP/1.1
Accept-Encoding: gzip, deflate