We recently found that the Bad Behavior plugin contained a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on one of the plugin’s setting pages, /wp-admin/options-general.php?page=bb2_whitelist. The day after we notified the developer they released version 2.2.19, which fixed the issue.

The CSRF potion of the vulnerability was due to a lack of a nonce on the page. [Read more]