The plugin does not sanitise or escape its โPaypal email addressโ setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue
Add the following payload in the โPaypal email addressโ setting of the plugin (/wp-admin/admin.php?page=bookshelf-settings): ">