As for LFI i cant detail because many forum will get jacked if i provide poc, but juts telling you it's "traversal sequences method"
if i was you then i would have not used this plugin, not atol. + author is very lazy to respond or to fix sqli so no point informing him new vulnerabilities , dunno
EDIT: dp_pn there is no bug in payment gateway itself, its a bug(vul) in the php code in plugin. dont worry no one can steal your money