The plugin WP Private Content Plus was closed on the Plugin Directory on the 23rd. The plugin has 9,000+ installs, so it falls below our monitoring threshold of closed plugins. Yesterday a new version was submitted to the Plugin Directory with a changelog entry “Fix security issues related to settings” and a Subversion commit “Version 2.0 with major security fixes”. The closure would appear to be due to NinTechNet having reported to the team running the Plugin Directory a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which was fixed in the new version.

...

---

This post provides insights on a vulnerability in the WordPress plugin WP Private Content Plus not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.