The plugin does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
Open a page containing the HTML code below as any authenticated user, or make any authenticated user open it via a CSRF attack
CPE | Name | Operator | Version |
---|---|---|---|
simple-bitcoin-faucets | eq | * |