When thinking about the security of WordPress plugins the more obvious concern is vulnerabilities that lead to websites being hacked, but for more high profile website there should also be plenty of concern for other issues, like the leaking of potential sensitive information. A wide range of plugins interact with that type of information, but the security of them doesn’t seem to be very well looked after either by the developers or the public that are using them based on some the vulnerabilities we are discovering.

We recently took a look over plugins that allow logging emails sent by the website, which depending on what is included could be rather sensitive. In a couple of cases we found that the logged emails were viewable by anyone logged in to WordPress. In the first, Email Log, the logged emails are displayed by the function display_content_callback() which is accessed through AJAX request. [Read more]