Multiple plugins from the Cool Plugins vendor are missing capability and proper CSRF check in the cool_plugins_install and cool_plugins_activate AJAX actions, available to any authenticated users, allowing them to install and activate arbitrary plugins via an archive hosted on a remote server they control
Jerome Bruandet (nintechnet)
Yes
2022-04-12 (about 9 months ago)
2022-04-12 (about 9 months ago)
2022-04-13 (about 9 months ago)