The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin’s settings, and on older versions (<= 4.9.1), inject arbitrary web-scripts, by tricking a logged in user with the contributor role or higher to click a link.