Product Filtering by Categories, Tags, Price Range for WooCommerce Missing Authorization Vulnerability

A vulnerability exists in the Product Filtering by Categories, Tags, Price Range for WooCommerce - Filter Plus plugin for WordPress, in all versions through 1.1.5. The issue arises from a lack of proper capability checks on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This flaw allows unauthenticated attackers to unauthorizedly modify the plugin's settings and create custom filter options.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin's settings and the creation of arbitrary filter options, potentially disrupting the site's functionality or user experience.

Reproduction

To reproduce this vulnerability, send an AJAX request to the 'wp_ajax_add_filter_options' or 'wp_ajax_filter_save_settings' actions without the necessary authorization. The request can include parameters to modify the plugin's settings or add new filter options. Since the vulnerability allows unauthenticated access, no login or user credentials are required.