ShareaholicAdmin::add_location is accessible for every registered user.
$_POST['location'] is not escaped.
Then it’s displayed as
$location_id on admin page.
Proof of Concept:
Login as regular user (created using wp-login.php?action=register) then:
XSS will be visible for admin:
- 10-11-2014: Discovered
- 10-11-2014: Vendor notified
- 26-02-2015: Second notification
- 28-02-2015: Version 22.214.171.124 released, issue resolved