Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Missing Capabilities Check Addressed

Based on our proactive monitoring flagging an issue in an update of the BEAF plugin, which has 20,000+ installs, the developer addressed a lacked of a capabilities check that could have allowed an attacker to change plugin settings and upload files. All plugins being used by our customer go through an extended version of that monitoring on a weekly basis.

Missing Capabilities Check Addressed (2)

Based on our proactive monitoring flagging an issue in an update of the Advanced Ads, which has 100,000+ installs, the developer addressed a lacked of a capabilities check that could have allowed an attacker to upload files and take other actions. All plugins being used by our customer go through an extended version of that monitoring on a weekly basis.

Missing Capabilities Check Addressed (3)

Late last week the developer the Broken Link Checker plugin, which has 600,000+ installs released a security update, but failed to make it available to those using the plugin. As one or more of our customers was using the plugin, we reviewed the update and confirmed a vulnerability was fixed. We then warned our customers about the vulnerability and lack of an update through normal channels. We also found the there was more code that similarly insecure. We notified the developer of both issues and they later released a second update that addressed the additional issue.