The plugin does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack
Make a logged in admin open the URL below, this will make them delete the shortcode with ID 1
https://example.com/wp-admin/admin.php?page=tiempocom/app/admin.php&action=delete&shortcode=1