miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion

The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in 5.4.49, however v5.5 also fixed the fact that any authenticated could call the reconfigure method against another user

PoC

https://example.com/?reconfigureMethod=1&amp;transactionId;=siteurl&amp;user;_id=siteurl