fix: Broken Access Control Issue

Fixed a broken access control vulnerability that allowed lower privileged users to execute plugin settings without permission. Added current_user_can() checks to prevent unauthorized access.
Appsero · Jan 16, 2024 · 5fc8f51 · 5fc8f51
1 parent c5fd458
commit 5fc8f51
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/Insights.php b/src/Insights.php
@@ -496,6 +496,10 @@ public function handle_optin_optout()
             return;
         }
 
+        if (!current_user_can('manage_options')) {
+            return;
+        }
+
         if (isset($_GET[$this->client->slug . '_tracker_optin']) && $_GET[$this->client->slug . '_tracker_optin'] === 'true') {
             $this->optin();