The plugin does not have Cross-Site Request Forgery (CSRF) check when modify the thumbnail, which could allow attackers to make logged in users with the edit_post capability to perform such action via a Cross-Site Request Forgery (CSRF) attack.