CSRF/XSS vulnerability in Private Only could allow an attacker to do almost anything an admin user can (WordPress plugin) CVE-2015-5483