In the plugin, the file βresource/frontend/product/product-shortcode.phpβ responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required. AccessAlly 3.5.7 resolved the issue.
curl -s https://example.com | grep '<div id="accessally-testing-data"'