Description
The export_users_csv function, registered as an authenticated AJAX call and allowing to export users, was missing the authorisation/capability check. CSRF check was in place, reducing the severity of the issue. Only version 1.15 seems to be affected as the export functionality is a new feature introduced by it.