The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in 5.4.49, however v5.5 also fixed the fact that any authenticated could call the reconfigure method against another user
https://example.com/?reconfigureMethod=1&transactionId=siteurl&user_id=siteurl
Krzysztof Zając
Krzysztof Zając
Yes
2022-02-28 (about 11 months ago)
2022-02-28 (about 11 months ago)
2022-04-09 (about 9 months ago)