The changelog for the latest version of Admin renamer extended is “Changed: Possible XSS bugfix reported by CBiu”. In looking over the changes made in that version to see if this was something we should be alerting customers of our service if they were using the plugin, we found that even calling it “possible” might be overstating it. While looking into that we did notice that there was a vulnerability in the current version that is located in the same file as the one where the change to fix a possible issue was made.

The plugin makes it admin pages available to users with the “manage_options” capability, which normally only Administrators have: [Read more]