In the Algolia_Admin class, both the re_index() and push_settings() functions should have a current_user_can() check. As of right now, anyone that can login to WordPress, including the basic Subscriber role, can make AJAX calls to trigger these endpoints.
In the
Algolia_Adminclass, both there_index()andpush_settings()functions should have acurrent_user_can()check. As of right now, anyone that can login to WordPress, including the basic Subscriber role, can make AJAX calls to trigger these endpoints.https://github.com/algolia/algoliasearch-wordpress/blob/master/includes/admin/class-algolia-admin.php#L118