The plugin does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog
https://example.com/wp-admin/admin-ajax.php?action=mycred-tools-select-user
Krzysztof Zając
Krzysztof Zając
Yes
2022-04-04 (about 10 months ago)
2022-04-04 (about 10 months ago)
2022-04-09 (about 10 months ago)