The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
With the PeachPay payment gateway enabled (can be enabled via the settings: http://example.com/wp-admin/admin.php?page=wc4jp-options&tab=payment)
Make a logged in admin open the following URL: https://example.com/wp-admin/admin.php?page=peachpay&tab=field&"><script>alert(/XSS/)</script>