The plugin contains an Auth Bypass vulnerability due to the plugin leaks its OAuth client_secret, that can be used to authenticate to the client's website. Depending on the OAuth server settings, the attacker may even get an administrator role on the client's website.