- Lack of CSRF, Authorisation and sanitisation checks in the ajax_load_new_editor() function, registered as an AJAX method, can lead to an authenticated reflected XSS issue. - Authenticated Directory Traversal leading to RCE
XSS: As an authenticated user (with a role as low as a Subscriber), open https:///wp-admin/admin-ajax.php?action=newsletters_load_new_editor&contentarea;="> RCE: Save the below code in an HTML file, then open it when logged in (with a role as low as Subscriber). Then, the PHP file will be at https:///wp-content/uploads/nl_rce.php