ATTN dplugin users of Scripts Organizer. There is a security issue that allows attackers to modify code.
As of version 2.4.2 of the plugin (the most current version in GitHub), a request to the “admin AJAX” url at /wp-admin/admin-ajax.php?action=saveScript can be ran without authentication and without requiring a security toke (nonce). The code is triggered by the unauthenticated wp_ajax_nopriv_saveScript action, located in plugins/scripts-organizer/admin/feature__scripts-manager-functions.php:add_action( ‘wp_ajax_nopriv_saveScript’, array($this, ‘saveScript_func’) );
A solution has not been released as yet. We don’t know of any ETA on a fix.