The plugin did not properly check for CSRF in some of its actions handled by the listen_for_actions method (hooked as admin_init), allowing attackers to make logged in users with the manage_options capability do unwanted actions such as empty the logs, dismiss notice and so on
https://example.com/wp-admin/admin.php?_mc4wp_action=empty_debug_log https://example.com/wp-admin/admin.php?_mc4wp_action=dismiss_review_notice https://example.com/wp-admin/admin.php?_mc4wp_action=renew_lists_cache https://example.com/wp-admin/admin.php?_mc4wp_action=dismiss_api_key_notice
2021-06-01 (about 11 months ago)
2021-06-01 (about 11 months ago)
2021-06-01 (about 11 months ago)