In brief, all the post requests are vulnerable to Cross-site Request Forgery issues. This is urgent and should be addressed as soon as possible if they are "really" SMBs benefiting from this project. So basically, a CSRF token should be sent with all the post requests and checked in the backend.
1 - Server sends the client a token.
2 - Client submits a form with the token.
In brief, all the post requests are vulnerable to Cross-site Request Forgery issues. This is urgent and should be addressed as soon as possible if they are "really" SMBs benefiting from this project. So basically, a CSRF token should be sent with all the post requests and checked in the backend.
1 - Server sends the client a token. 2 - Client submits a form with the token.
read more about CSRF here: https://portswigger.net/web-security/csrf