"This nonce was also used to verify whether or not a user could upload files to the server. As the script didn't use any other form of identification to check or authenticate the user's privilege to upload files, it was possible for any user to complete the upload in there," says the blog post.
- Login and get his nonce via wp-admin
- Send an AJAX file upload request containing the leaked nonce and his backdoor
"So long story short – don't only use nonces to protect sensitive methods, always add functions such as "current_user_can()" or the likes to confirm a user's right to do something."