One of the changelog entries for the latest version of Car Demon is “FIX: Security updates to correct XSS + CSRF vulnerabilities – props to princyedward!” We found that at least one place that occurred was in the handling of the saving of the plugin’s settings, but that led to us noticing that there was still cross-site request forgery (CSRF) vulnerability with the resetting of the plugin’s settings, though it turns out that only actually partially resets the settings. We have notified the developer of that. If you are using the plugin, it probably could use a more thorough review.

…

[Read more]