Two days ago we discussed that after seeing what look to be a hacker probing for the WordPress plugin WooCommerce Frontend Manager (WCFM), we found that the plugin contained, among other security issues, an authenticated persistent cross-site scripting (XSS) vulnerability. That is more a of concern than it usually is since the plugin works with WooCommerce, which by default allows untrusted to create WordPress accounts, so hackers would have an easier time exploiting that than they would for the average plugin. In looking at the developer’s other plugins we found that one of them, WooCommerce Multivendor Membership, is even more insecure, as the same type of vulnerability can be exploited without having to even be logged in to WordPress.
(Despite WooCommerce Frontend Manager (WCFM) likely being targeted by a hacker and containing an unfixed vulnerability they would exploit, WordPress is still distributing the plugin two days later.) [Read more]