CVE-2023-0551

Name of the Vulnerable Software and Affected Versions REST API TO MiniProgram WordPress plugin versions through 4.6.1

Description The issue concerns a lack of authorization and CSRF checks in an AJAX action within the REST API TO MiniProgram WordPress plugin. This allows any authenticated users, such as subscribers, to call and delete arbitrary attachments.

Recommendations For versions through 4.6.1, consider disabling the AJAX action related to attachment deletion until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin's features that involve attachment management until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.