The plugin does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue
https://example.com/purchase/confirm-payment/?order=order-xxxxxxx&PayerID=aa"><svg/onload=alert(/XSS/)>