The plugin contains an Auth Bypass vulnerability. To bypass authentication, the attacker only needs to know the user's email address. Depending on the obtained email address, the attacker may even get an administrator role on the client's website.