We're now using Helper_Misc::handle_ajax_authentication for all AJAX authentication which checks user capabilities and does an Nonce check (prevents CORS).
We also adding missing unit tests for AJAX endpoints and fixed up an endpoint that didn't have an nonce.
All checks have passed
2 successful checks
— The Travis CI build passed