The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor nonce check. This enables any logged in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the action is not registered with a "nopriv"-parameter this exploit can only be used when logged in.
The plugin is used in conjunction with the e-commerce plugin WooCommerce which in most cases creates a WordPress-user when a purchase is made in the shop. It is also possible to register as a customer in many of the shops. We have verified that the exploit can be used with users that has the customer-role which means that many websites are affected by this.
This exploit is available in the version (2.0.9) and all the way back to version 1.0.9.