The plugin contains a Missing Authorization vulnerability due to a missing capability check in the wpfc_qtip_content AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to extract sensitive data including post content of a draft, private or password-protected post.