The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when reseting plugin settings, which could allow authenticated users to reset them.