Hello, there is no rate limiting implemented in sending the confirmation email. Thus, attacker can use this vulnerability to bomb out the email inbox of the victim.
Proof of Concept :
- Register a account in wakatime.com
- Login to account and go to https://wakatime.com/settings/account
- Under that click on send confirmation email to any email you want and capture that request with burp.
- Now you can use the intruder and repeat the request by using different payloads under User Agent.
- Check the email inbox, it will be bombed with lots of email.
Reference from : #87531
Hope, you fix this soon.