The plugin did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
Put the following payload in any Donation Level Text field of a Donation Form (ie /wp-admin/post.php?post=9&action;=edit&give;_tab=form_field_options#form_field_options): "onmouseover=alert(/XSS/)// Then view a page/post with the embed Donation Form and move the mouse over the related Donation Level the payload was injected in to trigger the XSS