The plugin does not check authorization when processing the ftlpp-ext-expirable-delete-user ajax action, which could allow users with roles as low as subscriber to delete temporary users generated by the plugin, furthermore it does not protect the action against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to perform the deletion on their behalf.
GET /wp-admin/admin-ajax.php?action=ftlpp-ext-expirable-delete-user&id=7 HTTP/1.1
Cookie: [Subscriber+]