To exploit this vulnerability the attacker should have access, at least, to an account with the capability 'edit_posts'. ( Eg. contributor ). This is required to obtain a nonce, which is used to protect the affected ajax function.
To obtain the nonce, the attacker calls: "<your host here>/wp-admin/edit.php?post_type=qr". The nonce now lays in a script with the id "qyrr-admin-js-extra".
Inside the script, the exploitable qr-posts are listed (post_id is the id of post meta data with the meta key 'data-uri' ). There is no check, if the requesting user is the owner of that qr post.
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Then access the page/post where the QR Code is embed to trigger the XSS