Several weeks ago we detected what look to be someone probing for usage of the plugin Simplr Registration Form Plus+ on one of our website, which is usually an indication that a hacker is aware of an exploitable vulnerability in the plugin. Checking over the plugin we found that there was a vulnerability that would allow someone creating a WordPress account through the plugin to create an account with user specified role instead the role they were intended to have. You could not create an account with the Administrator role, but you could create one with the Editor role (or on a website with custom roles, those as well). Since Editor level users have access to capabilities that could introduce additional security issues, that was a pretty serious issue.

The response time in dealing with this wasn’t great. The developer only attempted to patch the vulnerability vulnerability two weeks after we had notified them. Before that it took a week for the Plugin Directory to remove the plugin from the directory, until it was fixed, after we had notified them.

Unfortunately the version intended to fix this, 2.4.4, also introduced unrelated major changes that caused the front end portion of the plugin to be broken. That lead to people reverting to the previous version, 2.4.3, which contains the vulnerability. Even after we posted in the thread about that issue, mentioning that it would be a bad idea to use that version due to the security issue in it, there was an additional person mentioning that the they were reverting to the old version. Thankfully this morning version 2.4.5 was released, which fixes that issue.

This seems to be a good example of why it is a good idea to keep the release of important security fixes separate from major changes in a plugin. That is how the core WordPress software handles it, security fixes are included in new minor version, not in major versions, and in a number of cases new minor release with security fixes have been put out shortly before a new major release.