Error Log Viewer < 1.1.2 - Arbitrary Text File Deletion via CSRF
The plugin does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server.
Proof of Concept
On Web Servers other than Windows, the /wp-content/plugins/error-log-viewer/saved_logs/ folder must exist for the attack to be successful, on Windows ones, there is no need for it
To delete the readme.txt of the plugin: https://example.com/wp-admin/admin.php?page=rrrlgvwr-monitor.php&saved_logs_action=delete&rrrlgvwr_check_del=../readme