Private Files <= 0.40 - Protection Disabling via CSRF

The plugin is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public document.getElementById"test".submit; That will also delete the .htaccess...

WordPress Private Files plugin <= 0.40 - Protection Disabling via Cross-Site Request Forgery (CSRF) vulnerability

Protection Disabling via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress Private Files plugin versions = 0.40. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is temporary,...