The latest update of the WordPress plugin ARPrice Lite was flagged by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. When went to look into that we found that the plugin was closed on the Plugin Directory on June 28 with no explanation given. The changelog for the version submitted since the closure is “WordPress standard changes and other bug fixes.”. A lot of the changes made are security related, but there still look to be quite a few issues.

There are numerous locations missing protection against cross-site request forgery (CSRF), which allows an attacker to cause someone else to take an action they didn’t intend to. As an example of that let’s look at the code that starts the import process for the plugin, part of which is what was flagged by our proactive monitoring. [Read more]