One common cause of security issues with WordPress plugins that we continue to see happening is a failure to properly check on whether a user should be able to use admin AJAX functions they are sending requests to. Since the wp_ajax_ hook makes the AJAX function accessible to any logged in user, without checking their capabilities even a Subscriber level users can access functions meant only for Administrators.

In most cases you will also want to make sure you are protecting against cross-site request forgery (CSRF) in those ajax requests as well.

---

Need Help Fixing a Vulnerability in Your Plugin?

We are happy to help you get it fixed for free, since warning the customers of our service about vulnerabilities in their plugins isn't very useful if there isn't a fixed version available.