The plugin is affected by a Broken Access Control, Cross-Site Request Forgery (CSRF) vulnerability that can be used to modify the OAuth server endpoints, which leads to an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrative role on the client’s website.