Public CVE-2019-15324 disclosure

The profile-builder plugin before 2.1.4 for WordPress has no access control for activating or deactivating addons via AJAX.