StopBadBots by Bill Minozzi <= 7.23 - Subscriber+ Arbitrary Plugin Installation
LANACOMMONVDB ID: 185ff811-61e7-4e2d-8177-edde1876cd87
The plugin does not have proper authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org repository.