The plugin does not have Cross-Site Request Forgery (CSRF) check in place when updating its settings, which could allow attackers to make a logged in admin change them via a Cross-Site Request Forgery (CSRF) attack.