The lack of CSRF check could allow attacker to delete arbitrary records from the plugin (for example Professional ones) via a CSRF attack. The issue is not patched, and has ben escalated to WP plugins team on May 29th, 2020
The PoC will be displayed once the issue has been remediated