The plugin does not have authorisation in the theme-plugin-file AJAX action, allowing any authenticated users, such as subscriber to call it and add arbitrary audit log entries, which could also lead to Stored XSS due to the lack of escaping of some entry metadata
CPE | Name | Operator | Version |
---|---|---|---|
wp-simple-firewall | lt | 17.0.18 |