The plugin includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.
http://example/wp-content/plugins/login-with-phone-number/delete.php?delete=1