I discovered, that anyone can run a task on a site running NopCommerce 4.3, if he knows the name of the task.
While some tasks may appear to be harmless, other can be very long-running. The attacker can run tasks at a very high speed and make the site very busy and unresponsive.
The problem is in ScheduleTaskController:
[HttpPost]
[IgnoreAntiforgeryToken]
public virtual IActionResult RunTask(string taskType)
{
...
}