The plugin does not protect the ajax actions azh_save against CSRF attacks, allowing an unauthenticated attacker to modify posts by tricking a logged in user with rights to edit the post to submit a crafted request. Furthermore if the targeted user has a role of editor or above, arbitrary web scripts can be injected into the updated post, leading to a stored cross-site scripting vulnerability.