Because of these cross-site request forgery vulnerabilities in the configuration page, the attackers can hijack the authentication of administrators for requests that disable the CAPTCHA requirement or insert cross-site scripting sequences.
Update the plugin.