The plugin does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack
https://example.com/wp-admin/admin.php?page=simple_wp_membership_payments&action=delete_txn&id=1 will delete the transaction with ID 1
muhamad hidayat
muhamad hidayat
Yes
2022-02-25 (about 1 years ago)
2022-02-25 (about 1 years ago)
2022-04-17 (about 1 years ago)