The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the pluginβs settings, and on older versions (<= 2.6.4), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.