The plugin contains a Missing Authorization vulnerability due to a missing capability check in the cardealer_install_plugin AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to install and activate arbitrary plugins from WordPress.org repository.