WordPress Plugin: addify-product-stock-manager: CVE-2022-3451: Missing Authorization

The Product Stock Manager plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several AJAX actions such as af_sm_set_checkbox_status in versions up to, and including, 1.0.5. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those actions and make changes they are unauthorized to do so. Furthermore, proper Cross-Site Request Forgery protection is missing. This allows unauthenticated attackers to invoke those actions, via forged request granted they can trick a user into clicking on a link. The af_sm_set_checkbox_status AJAX action can be used to change arbitrary options on the site, which can be used to register administrative user accounts on the site.