The plugin does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack
https://example.com/wp-admin/admin.php?page=simple_wp_membership_payments&action=delete_txn&id=1 will delete the transaction with ID 1