The plugin uses an insufficiently unique cryptographic signature in the wa_pdx_op_config_set function, which could allow an unauthenticated attacker to change the validation_token in the plugin config, providing access to the plugin’s remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation.