What is the security risk of a wordpress ajax login without nonce check?

Question

I have been reading about the usage of nonce for the ajax called functions to wordpress backend. I can easily imagine the security risk caused by www.malicious_site.com that