Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
Create an HTML file with the following content and have a logged in admin access it:
Navigate to the plugin’s settings to trigger the XSS.