The plugin uses a weak random token when resending email address verifications, allowing an unauthenticated attacker to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts. Furthermore, if the Allow Automatic Login After Successful Verification setting is enabled, the attacker will be directly logged in as the impersonated user account.