The plugin does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. v4.3.5 added capability check, but CSRF one still missing.
v < 4.3.5 - wget “http://example.com/wp-admin/admin.php?action=rest-nonce” --post-data=“xcloner_restore_defaults=1” -q -O- v < 4.3.6 (via CSRF):