ListingPro < 2.6.1 - Unauthenticated Arbitrary Plugin Installation/Activation/Deactivation

Unauthenticated users could install/activate/deactivate arbitrary plugins, including install one from a remote source under their control (by having $_REQUEST['ccDestin'] set to external and $_REQUEST['ccFileUrl'] to the remote ZIP file)