WordPress Security Providers Not Warning About Likely Targeted Unfixed Vulnerability in WordPress Plugin
During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file:
/wp-content/plugins/contentstudio/readme.txt
We did a quick check of the plugin to see if it had any easy to spot serious vulnerabilities, of the type that hackers are known to exploit. That led to us finding that the plugin is fundamentally insecure.
As detailed in a more technical post, the only restriction the plugin has on accessing some of its functionality, including creating new WordPress posts, is that you need to include a valid security token with a request to do those things. The problem with that is that even those not logged in to WordPress can set a new value for the security token. So a hacker can set a new value for the new token and then access the plugin’s other functionality. That would at least allow them to create spam content on the website.
Failure of WordPress Plugin Directory Review
The insecurity of the plugin has existed since the plugin was introduced in to the WordPress Plugin Directory in August 2020. Before plugins are allowed in to that, it is claimed that they are “manually review” and that the review checks the code for security and other issue. So either that reviewed failed to catch something that it should have or there wasn’t a review (a likely possibility considering that one person claims to have single-handedly review more than 46,800 plugins).
WPScan and Wordfence Fail to Warn
Thankfully, none of the customers of our main service are using the plugin, so we didn’t need to rush out a warning about this vulnerability. One implication of that is other WordPress security providers have had additional time to be the first to warn about this, but they haven’t.
For example, Automattic’s WPScan, which markets itself on its homepage with the claim that you will “[b]e the first to know about vulnerabilities affecting” your WordPress plugins, it isn’t warning about this:
Another provider, Wordfence, when marketing their Wordfence Intelligence service, claims their data on WordPress plugin vulnerabilities is “continuously updated in real-time as new vulnerabilities in WordPress software such as plugins and themes are discovered and disclosed”, that it is “comprehensive and extremely current”, and that it is “actively maintained by some of the top WordPress vulnerability researchers in the industry”. Despite that, we just checked their data through their Wordfence Security plugin and they are not warning that the plugin contains a vulnerability.
Plugin Security Scorecard Grade for Wordfence Security
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade