One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Due to recent improvements to that we caught a cross-site request forgery (CSRF)/PHP object injection vulnerability in WP Google Map Plugin, which has 100,000+ installs.
Yesterday when discussing a vulnerability we accidentally ran across we noted that the complicated nature of the code might have help to explain how the security vulnerability came about. That seems like it could also apply to this plugin as well as the code leading to the vulnerability seems overly complicated and critical security code is more complicated than needs to be, while not functioning properly. [Read more]