Description
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
Remediation
References
Related Vulnerabilities
WordPress Plugin WordPress Download Manager Multiple Vulnerabilities (2.8.7)
WordPress Plugin QIWI payment module for Woocommerce Cross-Site Scripting (0.0.9)
WordPress Plugin Chained Quiz Cross-Site Scripting (1.2.7)
WordPress Plugin WOOCS-Currency Switcher for WooCommerce Professional Cross-Site Scripting (1.3.7.4)