The plugins does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins create and delete arbitrary custom roles via CSRF attacks
To delete the custom role dj (it’s possible to delete roles created by other plugins), make a logged in admin open https://example.com/wp-admin/admin.php?page=wcj-tools&tab;=custom_roles&wcj;_delete_role=dj To create a custom role, make a logged in admin open a page containing the HTML code below