The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes
As a contributor, put the following shortcode in a post/page [otheruserinfo login=“admin” field=“user_pass”][/otheruserinfo]
CPE | Name | Operator | Version |
---|---|---|---|
user-meta-shortcodes | eq | * |