The plugin contains a Missing Authorization vulnerability due to a missing capability check in the pm_messenger_show_messages and pm_messenger_send_new_message AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to read and edit other user's messages.