The plugin was affected by a PHAR deserialisation issue, which may allow admin users to execute arbitrary code on the remote host. The plugin did not have a POP chain available, so another plugin/theme with one would need to be present, other conditions for the attack are described in the vendor's post.
2021-05-30 (about 1 years ago)
2021-05-30 (about 1 years ago)
2021-05-31 (about 1 years ago)