The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash
https://example.com/wp-admin/edit.php?post_type=easy-pricing-table&page=ept3-list&action=trash&post=1