Description The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack.
Make a logged in admin open one a page with the code below, this will make them delete the menu with ID 1: