The plugin does not sanitise and escape the idpay_error parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting
Append the following payload on a page where a form with an idPay payment interface is embed: &idpay;_error= Example: https://example.com/contact-form/?idpay_error=<script>alert(/XSS/)</script>