One of the changelog entries for the latest version of Crelly Slider is “Security patch”, which might explain why it was closed on the Plugin Directory on May 31. Looking at changes made in that version we found that capabilities checks and nonce checks (to prevent cross-site request forgery (CSRF)) where added to a number of AJAX accessible functions. The most serious issue that the lack of those checks looks to have allowed is an authenticated arbitrary file upload vulnerability, which is also exploitable through CSRF. Considering that the plugin has 20,000+ installs that might be something that hackers start to try target on websites that allow user registration (if they haven’t already). Since the plugin is still closed, you can’t update the plugin normally, so any customers needing help with that feel to contact us to get assistance.

...

---

This post provides insights on a vulnerability in the WordPress plugin Crelly Slider not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.

---

Need Continued Support for a Closed Plugin?

Does your website depend on a WordPress plugin that is no longer being supported by the original developer? With our Abandoned WordPress Plugin Maintenance Service, we can maintain the plugin for you, so you can safely use the plugin going forward.