Partly because of the large number of false reports of vulnerabilities in WordPress plugins being put out by our competitors, we now put more focus on claims of vulnerabilities in plugins used by our customers. So once at least one of customers started using the plugin GA Google Analytics, our systems notified us we needed to review a report put out by one of the aforementioned competitors, Patchstack, last year on a claimed authenticated persistent cross-Site scripting (XSS) vulnerability the plugin.

The report is credited to “m0ze (Patchstack Red Team)”, so this was something coming directly from Patchstack, instead of just something they copied from somewhere else. [Read more]