The plugin does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them
Proof of Concept
Install the plugin and configure any mailer other than Default.
Access the wp-admin area with a Subscriber+ user and monitor the traffic using your preferable tool.
Look for var yaySmtpWpData = in the HTTP Response and you'll find all the leaked credentials.