The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wp_newsletter_show_localrecord page is not protected with a nonce.
https://localhost/wp-admin/admin.php?page=wp_newsletter_show_localrecord&action=delete&rid=1