Back in March of 2016 we warned of the WordPress plugin developer CodePeople, which currently has 27 plugins in the Plugin Directory, due to repeated security issues in their plugins. Over three years later things don’t look to have changed. The changelog for the latest version of the plugin CP Contact Form with PayPal is “Fixed XSS vulnerability in CSS edition” in looking into that to see if there was a vulnerability we should be notifying customers of our service that were using that plugin about, we found that there is still a related vulnerability in the current version of the plugin, which should have been caught if they checked over the code in the plugin for similar issues. The vulnerability that was fixed is identical to one that they were notified was in another of their plugin’s in October.

The plugin register its main admin page to be accessible to users with the “manage_options” capability, which normally only Administrators have: [Read more]