The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wp_options table, such as a list of active plugins.
List all active plugins of the blog: GET /wp-json/acf/v3/options/a?id=active&field;=plugins