One of the frequent causes of vulnerabilities being disclosed in WordPress plugins these days involves in part functions that are made available through WordPress’ AJAX functionality that don’t have the proper restrictions on who can access them. In many instances this involves functions that are made available to anyone logged in, despite only being intended for high level users. In the other instances, there is the more serious problem of these function being made available to anyone, including those that are not logged in. Seeing as many websites don’t allow untrusted individuals access to an account, a vulnerable function being accessible to those not logged in greatly increases the chances of it being exploited.

One big difference between these two issues is that to make the function accessible to those logged out the developer has to specify that they want them to have access, while a lack of restrictions on which logged in users can access the function is the default state. That raises the question as to what leads developers to provide access to those who are not logged in, when that isn’t needed. [Read more]