favorite plugin is vulnerable to cross-site request forgery (CSRF). The attacks are possible because it does not send the requests via POST to prevent CSRF according to the Jenkins global security configuration, allowing to modify other user’s favorite status.