Company Posts for LinkedIn WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Data Deletion

A vulnerability exists in the Company Posts for LinkedIn plugin for WordPress, affecting all versions through 1.0.0. The issue arises from a missing capability check in the 'linkedin_company_post_reset_handler' function, which is linked to the 'admin_post_reset_linkedin_company_post' action. This flaw enables authenticated attackers with Subscriber-level access or higher to delete LinkedIn post data from the site's options table.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of LinkedIn post data from the WordPress site's options table.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'admin_post_reset_linkedin_company_post' action. This request will trigger the 'linkedin_company_post_reset_handler' function, which lacks proper authorization checks, resulting in the deletion of LinkedIn post data from the site's options table.