Reviews and Rating <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via sync_reviews AJAX Action

An authenticated attacker with subscriber-level access or higher can craft AJAX requests to the `wp_ajax_*` actions registered by the plugin. By calling `scan_profile` and `import_reviews`, the attacker triggers outbound scraping of arbitrary external websites and writes the scraped review data into the `wp_dp_reviews` database table. Additionally, calling `request_feature` sends feature-request emails spoofed from the site administrator's email address. The only protection is a nonce check, which is trivially obtainable by any logged-in user. [CWE-862]

The vulnerability resides in the `admin_init()` method of `class-reviews-and-rating-docplanner.php` (line 301 in version 1.1.4). The AJAX handlers `scan_profile`, `import_reviews`, `scan_reviews`, `sync_reviews`, and `request_feature` are registered without any capability check beyond a nonce, allowing any authenticated user (subscriber-level and above) to invoke them.

The patch is not included in the bundle, but the advisory states that the vulnerability exists because the plugin does not verify that a user is authorized to perform the action. The fix would require adding WordPress capability checks (e.g., `current_user_can('edit_pages')` or a similar appropriate capability) to each AJAX callback before executing the sensitive operation. Without such checks, any authenticated user can invoke administrative functions.