The plugin Gallery Bank was closed on the Plugin Directory on Monday. Earlier today a new version of the plugin was submitted with the changelog “FIX: FTP Exploit Fixed”, which sounds unusual since normally plugins wouldn’t have anything to do with FTP unless they are making request via FTP to another server. Looking at the changes made and the old version of the plugin, we found this involved an “Upload from FTP” feature, though part of it is only available in a premium version of the plugin. What is available in the free version looks to have been vulnerable in that Author level users and above could view the names of subdirectories of arbitrary directories on the website.

…

[Read more]