The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings (including the email settings) for example.
v1.6.6 fixed most of CSRF checks, but the one in model.email_settings.php was improperly fixed (bypass still possible by providing a dummy nonce)
May 25th, 2021 - Vendor contacted
May 31st, 2021 - Escalated to WP due to unresponsive vendor
June 1st, 2021 - WP Investigating
June 7th, 2021, v1.6.6 released, fixing the logic expect in model.email_settings.php. WP notified again about it
June 13th, 2021 - v1.6.7 released, fixing the remaining CSRF issue