The plugin does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
Make a logged in admin open a page containing the HTML code below The XSS (payload is in the short parameter of the base64 encoded data above) will be triggered when viewing the settings again, as well as in the frontend page/post where the [WPBF] shortcode is embed
CPE | Name | Operator | Version |
---|---|---|---|
bitcoin-faucet | eq | * |