One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Most of the vulnerabilities caught by that are due to only a few checks that we run over those changes, but one that we can’t recall flagging anything before did for a change made yesterday and it identified a serious issue. The new version of the Feedify plugin it turns out introduced a remote code execution (RCE) vulnerability.

In the new version of the plugin has the function feedify_run_cmd() run “once WP, all plugins, and the theme are fully loaded and instantiated“: [Read more]