The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in admin toggle the debug mode via a CSRF attack.
Proof of Concept
To access debug logs, as any authenticated user: https://example.com/wp-admin/admin-ajax.php?action=fs_get_debug_log