From 5fc8f51531ab7c11928511202f3e88c713055fae Mon Sep 17 00:00:00 2001
From: Nurul Umbhiya <nurul-umbhiya@users.noreply.github.com>
Date: Tue, 16 Jan 2024 14:28:04 +0600
Subject: [PATCH] fix: Broken Access Control Issue

Fixed a broken access control vulnerability that allowed lower privileged users to execute plugin settings without permission. Added current_user_can() checks to prevent unauthorized access.
---
 src/Insights.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Insights.php b/src/Insights.php
index b1988aa..8187d88 100644
--- a/src/Insights.php
+++ b/src/Insights.php
@@ -496,6 +496,10 @@ public function handle_optin_optout()
             return;
         }
 
+        if (!current_user_can('manage_options')) {
+            return;
+        }
+
         if (isset($_GET[$this->client->slug . '_tracker_optin']) && $_GET[$this->client->slug . '_tracker_optin'] === 'true') {
             $this->optin();