WordPress Users Manager - PN Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Users Manager - PN plugin for WordPress, affecting all versions up to and including 1.1.15. The vulnerability arises from a flawed authorization logic in the 'userspn_form_save' case of the 'userspn_ajax_nopriv_server()' function. When a non-empty user_id is provided, the function bypasses authentication checks and allows unauthenticated users to update arbitrary user meta, including sensitive fields like 'userspn_secret_token'. Additionally, the nonce required for this AJAX endpoint is exposed to all visitors, rendering the nonce check ineffective.

Impact

Exploitation of this vulnerability allows for unauthorized users to update user metadata, potentially including sensitive information such as authentication tokens.

Reproduction

To reproduce this vulnerability, send a POST request to the 'userspn_ajax_nopriv_server' endpoint with a non-empty 'userspn_form_type' set to 'user', 'userspn_form_subtype' set to 'user_alt_new', and 'userspn_form_user_id' containing the ID of the user whose metadata is to be updated. Include the 'userspn_ajax_nopriv_nonce' for the nonce check, which can be bypassed since the nonce is exposed to all users.