While reviewing a vague claim from a problematic security provider that the latest version of the plugin fixed a vulnerability, we ran across a minor security issue that still exists. The AJAX accessible function feedback_notice_dismiss() in the file /src/WPML_UserFeedback.php is lacking both a capabilities check and a nonce check to prevent cross-site request forgery (CSRF). That isn't a big deal based on what can be done through that, but it still should have those security checks.
The AJAX accessible function product_education_dismiss() in the file /src/WPML_ProductEducation.php also is lacking a capabilities check. It does have a nonce check.
While reviewing a vague claim from a problematic security provider that the latest version of the plugin fixed a vulnerability, we ran across a minor security issue that still exists. The AJAX accessible function feedback_notice_dismiss() in the file /src/WPML_UserFeedback.php is lacking both a capabilities check and a nonce check to prevent cross-site request forgery (CSRF). That isn't a big deal based on what can be done through that, but it still should have those security checks.
The AJAX accessible function product_education_dismiss() in the file /src/WPML_ProductEducation.php also is lacking a capabilities check. It does have a nonce check.