The plugin does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. v1.0.1 added a check to ensure post to be removed is an asset. However the plugin is still missing capability and CSRF checks
As a subscriber, or via CSRF against any authenticated user
CPE | Name | Operator | Version |
---|---|---|---|
enqueue-anything | eq | * |