APIs are one of the best features of web applications. I see API accessibility empowering the web as a back-end tool for many applications, and this makes web application security forever relevant. Because insecure API endpoints, makes for insecure applications.
The webmaster-tools-verification plugin included a useful feature for users. Cleaning up after itself if disabled. It appears their intention was to ensure they tidied up any meta data their plugin may have left in your database, if you ever chose to remove the plugin. They even made it accessible via an API endpoint.
How nice. Unfortunately too nice. They omitted all authorization checks in the API endpoint. Meaning, anyone can tell the site to disable it’s plugins.
The patch actually uncovered another bug during testing. The code was barely functioning, but I could see how it worked in the developer’s environment. Writing the patch required re-writes of original functions, editing forms, adding and verifying nonces, as well as the most important, verifying the request if being made from a user with the authorization to disable plugins.
You can read more technical details about this Last Patch of webmaster-tools-verification’s arbitrary plugin disablement bug on the Patchstack blog.