The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders
Make a logged in user with the wpcode_activate_snippets capability open the URL below
https://example.com/wp-admin/admin.php?page=wpcode-tools&view=logs&wpcode_action=delete_log&log=../../delete-me.log
This will make them delete the ~/wp-content/delete-me.log