The plugin does not check user capabilities on several functions, allowing authenticated attackers with a low amount of privilege (such as Subscribers) to perform actions that should only be available to users with higher privileges.