As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. For the second time today, that has led to us running across a plugin with an unfixed vulnerability that hackers could be interested in.

This time it involves the plugin About Me Page, which was closed on the Plugin Directory on May 9. No reason has been given for the closure, but one reason it could have been closed is for a security vulnerability like the authenticated persistent cross-site scripting (XSS) vulnerability we immediately ran across when we starting looking at the plugin. That is a type of vulnerability we have seen hackers targeting recently, though with only 1,000+ installs it would seem less likely to be a targeted considering the attacker would need a WordPress account, but it may be that hackers are casting a wider net or don’t know the limited usage of the plugin. [Read more]