One of the changelog entries for the latest version of Custom Simple Rss is “fix – fixed some security issues”. Looking over the changes made in that version we found that protection against cross-site request forgery (CSRF) was added when changing the plugin’s settings, which prevents an attacker from causing an Administrator to change the settings without intending it. There was enough sanitization done when changing the settings that it looks like there wasn’t anything more serious, say cross-site scripting (XSS), that could be exploited through that.

…

[Read more]