The plugin does not have any CSRF check in place, allowing attackers to make a logged in admin delete the entire WordPress installation v1.2 attempted to fix the issue by adding an authorisation check to ensure that the user executing the request is an admin, which does not fix anything CSRF related.
https://example.com/wp-admin/admin-ajax.php?action=uninstall
2015-02-11 (about 8 years ago)
2014-12-11 (about 8 years ago)
2021-08-30 (about 2 years ago)