One of the misconceptions we see out there when it comes to the security of plugins is people believing that because a plugin is created by a company as opposed to an individual or because there is a paid element to it, it will be more secure. That clearly hasn’t been the case with the company Etoile Web Design, which hasn’t fixed multiple vulnerabilities we have reported to them (some of which we discovered and other publicly disclosed by someone else). So it wasn’t really surprising that during our monitoring of the WordPress Support Forum came across a thread about Daniele Scasciafratte noticing a vulnerability in their Front-End Only Users plugin due to it having been exploited on the plugin’s demo site:

…

[Read more]