SecNews: Querying private posts and changing post meta

Summary --- Unauthenticated user can run arbitrary post queries and insert arbitrary numeric post meta via vulnerable /wp-content/themes/SecNews-NewCustom/functions/ajax.php file. I'm including two exploits in one report because the fix for both is the same, i.e. delete ajax.php. Run arbitrary po...