The plugin lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them.
Examples of actions where low-privileged users can directly ask
- https://example.com/wp-admin/admin-ajax.php?action=resmushit_bulk_get_images
- https://example.com/wp-admin/admin-ajax.php?action=resmushit_restore_backup_files
- https://example.com/wp-admin/admin-ajax.php?action=resmushit_remove_backup_files
- https://example.com/wp-admin/admin-ajax.php?action=resmushit_update_statistics