The WordPress plugin Getwid, which contains “a collection of 40+ Gutenberg blocks”, was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains at least an authenticated information disclosure vulnerability and cross-site request forgery (CSRF)/settings change vulnerability. Both of those involve an Instagram access token.

Authenticated Information Disclosure

The plugin registers the function get_instagram_token() to be accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]