The plugin does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack
Make a logged in admin open https://example.com/wp-admin/admin.php?page=wc-gsheetconnector-config&code=attacker-code