Description The plugin does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack
Make any logged in user open https://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=1 to make them delete the shipment with ID 1