The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a user with the contributor role or higher to click a link. The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin’s settings, and on older versions (<= 2.7.0), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.