Featured Image from URL <= 3.9.9 is vulnerable to Arbitrary Settings Update to Stored XSS via CSRF vulnerability

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.9.9. This is due to missing or incorrect nonce validation on the fifu_update_menu_options function. This makes it possible for unauthenticated attackers to trigger plugin options updates via forged request granted they can trick a site administrator into performing an action such as clicking on a link.