The plugin has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack
Make a logged in admin open the URL below (42 being a pre-order to be canceled)
https://example.com/wp-admin/admin.php?page=wc_pre_orders&action=cancel_pre_order&order_id=42