One of the changelog entries for the latest version of Import Social Events is “IMPROVEMENT: Some Security Improvements.” Looking at the changes made we saw that sanitization was being added in a number of locations. The first instances of that though didn’t have any security impact, so we ran the previous version of the plugin through our Plugin Security Checker tool to see if it flagged any possible issues. That flagged the code below as possibly being vulnerable, which we then confirmed. Looking at the changes made that wasn’t fixed.

We also noticed that similar code on the next line after the vulnerable code could also lead to a vulnerability and wasn’t flagged by tool. We made improvement to the tool that will now catch that in the future. [Read more]