The plugin lacks authorization checks in the ftlpp-ext-expirable-get-users ajax action, allowing logged in users with roles as low as subscriber to access the login links for the temporary users created by the plugin, which can be used for privilege escalation.
GET /wp-admin/admin-ajax.php?action=ftlpp-ext-expirable-get-users Cookie: [Subscriber+]