The plugin does not sanitise or escape its βPaypal email addressβ setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue
Add the following payload in the "Paypal email address" setting of the plugin (/wp-admin/admin.php?page=bookshelf-settings): "><script>alert(/XSS/)</script>