The lack of CSRF checks could allow attackers to make a logged administrator change some of the plugin's settings.
CSRF
No
2020-12-29 (about 2 years ago)
2020-12-30 (about 2 years ago)