Over the past couple of weeks we have been posting about popular WordPress plugins that are using outdated versions of third-party libraries that have been disclosed by the developers of the libraries to contain security issues. Those have involved situations where the developers haven’t fixed those, including in one instance where the developer was notified back at the end of October. With another plugin also using a vulnerable version of the same library, DomPurify, Beaver Builder, they at least updated the library after we notified them of the issue. We don’t know if they were notified of it before. You would hope they would have, since the developer disclosed the vulnerability on October 24. What the developers of Beaver Builder didn’t do is to disclose they were doing that.

They don’t provide any changelog on the WordPress plugin directory: [Read more]