Because of these multiple vulnerabilities, the attackers can hijack the authentication of administrators for requests that change the administrator password via the config task to index2.php.
Solution
Update the plugin.
Classification
Type Cross Site Request Forgery (CSRF) OWASP Top 10 A8: Cross Site Request Forgery (CSRF)