Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in 'template' POST parameter without any further validation.
Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from]`
2015/06/01 Discovered
2015/06/01 Vendor alerted via contact form at his website
2015/06/03 Vendor responded
2015/06/03 Fixed in version 1.1.0
Update to version 1.1.0