AntiHacker by Bill Minozzi <= 4.19 - Subscriber+ Arbitrary Plugin Installation
LANACOMMONVDB ID: a0ede324-76b5-4447-a5b6-44337f9b9451
The plugin does not have proper authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org repository.