Bitcoin / Altcoin Faucet by Alexey Trofimov <= 1.6.0 - Settings Update to Stored XSS via CSRF
LANACOMMONVDB ID: fde55148-329f-449b-a553-fa88785c7a76
The plugin does not have any Cross-Site Request Forgery (CSRF) check when saving its settings, allowing attacker to make a logged in admin change them via a Cross-Site Request Forgery (CSRF) attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting (XSS) issues.