### Critical Vulnerability Information #### 1. Use of Unvalidated Input - **Location**: REST API route handling functions - **Description**: Client-submitted data is not adequately validated, posing potential risks of SQL injection or command injection. - **Code Example**: ```php register_rest_route( 'nua-request', '/v1/connect-app', array( 'methods' => 'GET', 'callback' => array( $this, 'user_connect_app_callback' ), ``` #### 2. Lack of Authentication and Authorization Checks - **Location**: Multiple REST API route handling functions - **Description**: Some API routes lack authentication and authorization checks, potentially allowing unauthorized access. - **Code Example**: ```php register_rest_route( 'nua-request', '/v1/disconnect-app', array( 'methods' => 'GET', 'callback' => array( $this, 'disconnect_app_callback' ), ``` #### 3. Exposure of Sensitive Information - **Location**: `send_push_notification()` function - **Description**: The push notification feature may expose user data, leading to data leakage risks. - **Code Example**: ```php public function send_push_notification( $user_id ) { $user_details = get_userdata( $user_id ); $fcm_token = sanitize_text_field( $request->get_header( 'FCMToken' ) ); ``` #### 4. Insecure Remote Requests - **Location**: `wp_remote_post()` function call - **Description**: Remote requests lack sufficient response validation, potentially leading to deserialization or malicious request risks. - **Code Example**: ```php $response = wp_remote_post('https://app.newuserapprove.com/wp-json/nu Ms/link', ... ``` These vulnerabilities may lead to security issues and require further security audits and remediation.