The plugin does not have authorisation and CSRF checks in multiple AJAX actions, which could allow users with a role as low as subscriber (or an attacker making any authenticated user open a malicious page) to call them and modify the plugins cache, add a new license, delete logs files, update cache rules etc.