A CSRF vulnerability in the plugin gives attackers the possibility to craft an AJAX request, which lets blog administrators alter plugin settings. Due to a lack of encoding for malicious data when displaying it in the admin backend, there is a Stored XSS. Also, as the user input coming from the attacker is directly being passed to the WPDB query() method, there might be a possible SQL injection.