The plugin does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
Go to the AJAX settings of a Form and put the following payload in the "Minimum number of characters required to run ajax search." (min_no_for_search field) or "Text when there is no search results" (nothing_found_text field) settings: "style=animation-name:rotation onanimationstart=alert(/XSS/)// yo="
Note: The min_no_for_search field is only validated to be a number client side.
For the _is_settings[highlight_color] parameter, a payload such as " autofocus=autofocus onfocus=alert(/XSS/)// oni=" can be used
POST /wp-admin/admin.php?page=ivory-search&post=14&tab=options HTTP/2
Cookie: [admin cookies]