One of the things we do to keep track of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in the plugins they use is to monitor the WordPress Support Forum for topics that might relate to those. Through that we came across an authenticated settings change vulnerability that can permit persistent cross-site scripting (XSS) in the plugin WP Google Maps, which considering the plugin has 400,000+ install, is something that would be of interest to hackers.
This Vulnerability Details post about a vulnerability in the plugin Launcher provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.
Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.