A cross-site request forgery (CSRF)/cross-site scripting vulnerability fixed in the plugin WP Open Graph is a good example of why trying to rely on changelog entries to tell if you there is a security update is included in a new version doesn’t work well as the version this was fixed in didn’t have a changelog entry. We ran across this because the CSRF portion was vaguely disclosed by the JPCERT/CC and credited to Koichi Kuriyama of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University. In looking into it we found that also involved XSS.

...

---

This post provides insights on a vulnerability in the WordPress plugin WP Open Graph not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.