The plugin does not properly validate a user intended to do an action, which they could have done using nonce checks. This makes it possible for attackers to conduct CSRF attacks against an unsuspecting administrator, tricking their browser into editing some of the pluginβs settings.