CVE-2021-24752 Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctpswitch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement...

Map Block for Google Maps < 1.32 - Unauthorised Google API Key change

The gmwmapblocksavekey AJAX action, available to both authenticated and unauthenticated users did not have any check in place to prevent unauthorised change of the Google API key...