One of the changelog entries for the latest version of the WordPress plugin Pretty Links is “Security hardening.” Looking at the changes made, we found that a nonce check to prevent cross-site request forgery (CSRF) was added in the new version. Looking closer, we found that another security check was still missing and the vulnerability that had existed didn’t just involve CSRF. We have notified the developer of the missing security check, which is also still missing in other similar code, and offer to help them address it.

...

---

This post provides insights on a vulnerability in the WordPress plugin Pretty Links not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.

---

Plugin Security Scorecard Grade for Pretty Links

Checked on August 24, 2024

See issues causing the plugin to get less than A+ grade