On Friday, Automattic, through their Jetpack service’s blog released details of a vulnerability in a WordPress plugin based on what they described as an “internal audit”:

During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. [Read more]