The plugin does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog
https://examle.com/wp-admin/admin.php?page=wpedon_menu&action=delete&action2=delete&order[]=1