The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)
Add a listing, don’t complete payment (status will be pending) payment[created_at_date]|
—|—
payment[created_at_time_hour]|
payment[created_at_time_min]|
payment[id]|
payment[payer_data][address]|
payment[payer_data][address_2]|
payment[payer_data][city]|
payment[payer_data][country]|
payment[payer_data][state]|
payment[payer_data][zip]|
payment[payer_email]|
payment[payer_first_name]|
payment[payer_last_name]|
payment[status]|
payment_note|