The changelog for version 5.2.2 of the plugin WP Review is “Fixed vulnerability issue”. While there is also a changelog for version 2.5.1, there was no version submitted between 5.2.0 and 5.2.2 being released, so it hard to be exactly sure what changes are connected in which version. We found one incomplete security change and another change that removed code that could be considered a vulnerability, both involving code in the file /includes/ajax.php. While still reviewing things we got alerted to a thread in WordPress Support Forum that indicates the second issue is being targeted by hackers, though not in a way that seems like it could lead to websites being hacked.

...

---

This post provides insights on a vulnerability in the WordPress plugin WP Review not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.