Unauthenticated Webhook Subscription Deletion — Missing Authentication + Confirmed Data Destruction
The DELETE /api/submissions/{subscriberId} endpoint on forms.plumsail.com requires ZERO authentication. Any unauthenticated attacker can permanently delete any webhook subscription by sending a singl
Platform: Self-Hosted | Severity: high | Type: no-payout
Reported by: BUG HUNTER XYZ