Don't run elasticsearch on a public endpoint
This only affects people that somehow didn't get the memo that it is an extremely bad idea to run something like a database, or indeed elasticsearch on a public port. Seriously, don't do that, ever. If you do so anyway, you'll at least want to put in place some security like for example an https proxy + basic authentication.
If you don't do that, this hole in the API is the least of your problems and you are trivially exposed to people crashing elasticsearch with a few nasty queries, filling up your disk with some write traffic, killing all CPU by sending some expensive queries, or stealing all the data you have in Elasticsearch. If all that is fine with you, then yes you also expose yourself to remote script execution. In a controlled environment, scripting support in ES is still useful. They are similar to stored procedures in a database.