Enforce/verify state parameter of callback. Please update as soon as possible.
"The extension fails to check/validate the state parameter on the callback. This opens up the extension to an authentication bypass using a clickjacking technique. In effect a CSRF vulnerability (https://cwe.mitre.org/data/definitions/352.html) is present." - @f3ndot