Unauthenticated Settings Change Vulnerability in WooCommerce Category Banner Management plugin <= 1.1.0

In class-woo-banner-management.php, the function wbm_save_shop_page_banner_data is also hooked into ‘wp_ajax_nopriv_’. This means the function can be accessed on the front-end for unauthenticated users. The problem is that the function wbm_save_shop_page_banner_data does not do any checks before beginning to save the settings. So anyone one could change the plugin’s setting by simply sending a request to wbm_save_shop_page_banner_data action. Unauthenticated users can add and modify banners.

$this->loader->add_action(‘wp_ajax_wbm_save_shop_page_banner_data’, $plugin_admin, ‘wbm_save_shop_page_banner_data’);
$this->loader->add_action(‘wp_ajax_nopriv_wbm_save_shop_page_banner_data’, $plugin_admin, ‘wbm_save_shop_page_banner_data’);

Proof Of Concept: