The plugin does not protect some of its actions in the admin_block_country_initial_page function against CSRF attacks, allowing an attacker to modify country blocks or methods on their behalf by tricking a logged in administrator to submit a crafted request.