1 Description
Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action.
Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website.
2 Proof of Concept
3 Actions taken after discovery
Vendor was informed on 2015/05/19.