The plugin does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack
https://example.com/wp-admin/admin.php?page=simple_wp_membership_payments&action;=delete_txn&id;=1 will delete the transaction with ID 1
CPE | Name | Operator | Version |
---|---|---|---|
simple-membership | lt | 4.1.0 |