WordPress's wp-admin/admin-ajax.php doesn't check permissions of users
to verify administrator privileges. Therefore, any logged in user
could utilize the ajax calls for managing BitPay tokens used
by the plugin.
All ajax calls now include nonces to protect against CSRF
and check the user permissions for the ability to manage options.
WordPress's wp-admin/admin-ajax.php doesn't check permissions of users to verify administrator privileges. Therefore, any logged in user could utilize the ajax calls for managing BitPay tokens used by the plugin.
All ajax calls now include nonces to protect against CSRF and check the user permissions for the ability to manage options.