[Security] Unauthenticated user can upload files and replace featured images of any post

[d--j]

The AJAX function set_bynder_featured_image has two big security flaws:

• it is callable as unauthenticated user. Anybody can upload/sideload anything into the WordPress media library (remove add_action( 'wp_ajax_nopriv_bynder_featured', 'set_bynder_featured_image' ); – that is not necessary for your plugin)
• the function does not do any permission checks. Anybody can upload files (no check of upload_files capability) and can set the featured image of any post (no check of edit_post_meta meta capability)

You should also add a nonce and a nonce check in this function to prevent CSRF attacks.