One of the ways we make sure customers of our service have the best data on vulnerabilities in WordPress plugins they use is that we monitor changes being made to plugins for indications that vulnerabilities have been fixed. We often find that issues haven’t been fully resolved or that there are other related issues still in the plugin. That was the case when we looked into the details of a vulnerability in the plugin WebP Converter for Media, which in part involved a lack of protection against cross-site request forgery (CSRF). What we also noted was another instance of that, which also impacted another more popular plugin by the same developer, ACF: Better Search.

That plugin makes its settings page available to those with the “manage_options” capability, so normally only Administrators: [Read more]