Last Friday we discussed a remote code execution (RCE) vulnerability that we had caught being introduced into a plugin through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. In that we noted that we couldn’t recall having the check that caught that having flagged any possible vulnerabilities before. So in looking at changes being made to plugins yesterday it was surprising for us to see that code being added to three more plugins was flagged by that check, but it turned out to be a good news situation.
Those three plugins were more plugins by the same developer as the one that was flagged last week (Feedback Form – Collect Vital Information, Free tools to engage your customers, and Feedify:Free Web Push Notifications) and while they were adding the almost the same code that had been added to the plugin we found had a vulnerability last week, the difference from the previous code is that additional code been added before the code flagged by our check is run, which prevents there from being a vulnerability in those plugins. If we hadn’t caught that first plugin then even more plugins and more website would have become susceptible to a serious vulnerability.
By comparison, earlier today we mentioned another security company that claims to have sat on a serious security vulnerability until after it was fixed due to others noticing it six months later and after a connected vulnerability might have already been being exploited.