Login

Tag Archives: Co-Authors Plus

1 Nov 2022

Automattic’s WPScan Failed to Catch That WordPress VIP’s Co-Authors Plus Plugin is Still Disclosing Email Addresses

During the summer, one arm of the company closely associated with WordPress, Automattic, WPScan disclosed a vulnerability in plugin, Co-Authors Plus, maintained by another arm of Automattic. WPScan and others in Automattic appear to have failed to look all that closely at the issue, as the plugin still has a closely related vulnerability.

According to the documentation for the plugin, it is maintained by WordPress VIP: [Read more]

1 Nov 2022

Authenticated Information Disclosure Vulnerability in Co-Authors Plus

As detailed in a separate post, earlier this year it was disclosed the WordPress plugin Co-Authors Plus had contained a vulnerability that disclosed email addresses through a REST API route. That is still possible through another REST API route.

In the file /php/class-coauthors-endpoint.php, a REST API route to search for coauthors is registered: [Read more]

22 Jan 2019

WordPress Plugin Security Review: Co-Authors Plus

For our 25th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Co-Authors Plus.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]