The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in 5.4.49, however v5.5 also fixed the fact that any authenticated could call the reconfigure method against another user
https://example.com/?reconfigureMethod=1&transactionId;=siteurl&user;_id=siteurl