The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when updating a post status, which could allow any authenticated users, such as subscriber to update arbitrary post status.