The plugin does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.
1. Add a product item to the plugin. The item name, for example, "first". You will also use this in the shortcode.
2. Exploit shortcode:
[button_to_cart item='first' value='SUBMIT" onmouseover="alert(1)" style="border:5px solid red;"']