Description The plugin does not have authorisation check in its events_receiver function, allowing unauthenticated users to create/update/delete posts/taxonomy, install/activate/deactivate plugin, update the customizer settings as well as create/update/delete arbitrary users