Recently we went to check on a report of a cross-site scripting (XSS) vulnerability in the plugin My WP Translate and while looking into that we noticed that there were a number AJAX accessible functions that didn’t have the proper protection so that anyone logged in could access them. That is an all too common situation. On a lot of websites that wouldn’t matter much since the only user account is an Administrator, so that if someone gains access to the account they can do whatever they want already, or only trusted individuals have accounts. For websites that do allow untrusted users to have accounts taking extra precautions when it comes to plugins is a good idea. That can include limiting the number of plugins you use and for the highest assurance getting a security review done of them (we do security reviews of plugins suggested/voted for by our customers and also offer a separate service if just want to purchase a review).
Recently we found that the plugin Social Media and Share Icons (Ultimate Social Media) contained an authenticated option deletion vulnerability. The Social Media plugin is based on the code base of that plugin and contained the same vulnerable code. The only difference being that function is named sfsi_plus_DeleteSkin() in this plugin, that is located in the file /libs/controllers/sfsi_iconsUpload_contoller.php.
Recently we have been finding a lot of vulnerabilities in WordPress plugins through monitoring our websites for what look to be requests related to hacking attempts against plugins that don’t have known vulnerabilities and then checking over the plugins for exploitable vulnerabilities. That has lead to us finding quite a few vulnerabilities in the current versions of plugins. In attempt to catch more of this type of issue we have been looking around for more data so that we can catch more of these vulnerabilities. That lead us to look at the Social Media and Share Icons (Ultimate Social Media) plugin, despite it looking like it might not have been the target of a hacker. While reviewing that we found a fairly serious vulnerability, though not one that hackers would likely be interested in exploiting.