The plugin does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads
Sebastian Wolfgang Kraemer
HSASec
Yes
2015-06-17 (about 7 years ago)
2015-06-17 (about 7 years ago)
2022-04-08 (about 1 years ago)