Are there any security risks when submitting data-attribute data through AJAX?

When dealing with submit forms, even if they are sent with AJAX, you must play by the Never trust user’s input rule.

Every data-attribute can be changed, edited via Inspector. Your only trusted validation should be on the server side, as you did with:

if ( isset($_POST['author_id']) || is_numeric($_POST['author_id']) )

Personally, I would inverse the logic and first check all the attributes before starting any action.

check_ajax_referer( '*****', 'security' );

if ( ! isset($_POST['author_id']) && ! is_numeric($_POST['author_id']) ) {
      // tell the villain that this tower is watched
      wp_send_json_error( 'Wrong author ID!' );
}

// now is safe to cache
$author_id = $_POST['author_id'];

Stolen from Codex.

The parameters are passed through a URI encoding so I wouldn’t worry too much about data type or casting.

tech