On Friday the plugin myStickymenu was closed on the WordPress Plugin Directory. Due to it being one of the 1,000 most popular WordPress plugins (it has 60,000+ installs) and it looking like hackers monitor for the closure of popular plugins to then see if there are security vulnerabilities they can exploit, we do that type of monitoring as well to keep our customer ahead of hackers, so we were alerted to the closure. We found that there were two vulnerabilities in it, though neither one is one that hackers are likely to try to exploit on the average website. In looking into the more serious vulnerability we found that it was introduced in the first version after ownership of the plugin was handed over to a company named Premio. That version also promoted the introduction of a Pro version and what is included in the Pro version is tied to the code introduced in that version that created the security vulnerability.

The security vulnerability was caused by a failure to do two security basics, so we were curious to see if they might have other plugins that also have security issues. Their second most popular plugin is Folders. Like myStickymenu, they took it over and the next version promoted the introduction of a Pro version. Alongside that they also introduced numerous security issues, due again to basic security failures. As one example, we confirmed that introduced in that version was a persistent cross-site scripting (XSS), which still exists in the current version. [Read more]