@ooohboi You are welcome. I hope you can fix it and that you can pass the Wordfence validation. I’ll check it to see if I can help with something else 🙂
-
This reply was modified 3 years, 2 months ago by Eduardo.
Hi @ooohboi
I think the plugin does not check the user’s capability when calling the ‘file_batch_delete_callback’ function, which allows any subscriber-level user to delete attachments via AJAX. This could lead to data loss or information disclosure if an attacker exploits this vulnerability.
I suggest you add a capability check to make sure the user has permission to delete attachments. For example, you could use the current_user_can(‘delete_posts’) function before performing any action.
Thanks
Regards
