While reviewing the security change made in version 2.2.3, as at least one of our customers is using the plugin, we noticed that there are still a couple of AJAX accessible functions that are lacking a capabilities check and or a nonce check. The function add_slide_template() in the file /modules/HeroCarousel/Ajax.php lacks both, leading to a vulnerability. The function deactivate_feedback() in the file /includes/Admin/Feedback.php is lacking a capabilities check.
While reviewing the security change made in version 2.2.3, as at least one of our customers is using the plugin, we noticed that there are still a couple of AJAX accessible functions that are lacking a capabilities check and or a nonce check. The function add_slide_template() in the file /modules/HeroCarousel/Ajax.php lacks both, leading to a vulnerability. The function deactivate_feedback() in the file /includes/Admin/Feedback.php is lacking a capabilities check.