Lack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks.
v1.0.8 fixed the reflected XSS, however no CSRF check on delete and delete_all_category actions
v1.1.0 released, no additional fix
v1.1.1 released, no additional fix
January 3rd, 2020 - Vendor contacted about lack of CSRF checks
January 4th, 2020 - Vendor Acknowledgment
January 7th, 2020 - v1.1.2 Released, no fix
January 14th, 2020 - Vendor contacted for updates. Responded that the plugin will be updated after "2 days holidays" (whatever that means)
January 22nd, 2020 - Still no updates, escalated to WP plugin team.
January 27th, 2020. v1.1.3 released, fixing the remaining CSRF issues. Capability checks are missing from AJAX calls though, but I give up on this one.