That’s certainly not what we want! I want to be as helpful as I can, to get this resolved for you.
Don’t just remove the shortcode from the site: completely remove the donation form by making it a draft:
That should stop it as far as is possible from our side. Beyond that, either your host or Cloudflare will need to be the ones to turn off the flood.
You mention DDOS, so is the site completely down? Cloudflare should definitely be able to stop a DDOS attack: that’s what they do.
Once you get the site back operational, we can definitely work with you to get your donations back up and running, but the step before the first step is to stop the DDOS attack. That’s not something that we can help with, and it’s directly in Cloudflare’s wheelhouse.
Cloudflare said it was injecting through your plugin as well as Stripe also said that and the report from the team at my hosts also have logs showing your plugin is effected. Maybe recaptcha will help your plugin.
It claims to support GiveWP right out of the box. There’s a chance that it will help, but given that you say the attack is happening via admin-ajax at this point, I am not sure that will help.
5) Implementing a reCAPTCHA We don’t generally recommend the reCAPTCHA option because it slows down the donation experience and looks unsightly. It can harm your donations sometimes more than benefit them. But sometimes it’s really your last line of defense. So if you really want to implement it, here’s how:
We want to help, but the distributed nature of WordPress itself means that we can only really provide pointers and we rely on you to give us as clear a picture as possible of exactly how GiveWP is being exploited. If there is sensitive data that you’d rather not post on this public forum, you can reach out to us at https://givewp.com/contact-us and mention this forum post.