At the beginning of the year we took a couple of actions to improve our inclusion of vulnerabilities where there has not been a report on the vulnerability released by the discoverer so that we could expand the number of vulnerabilities we include in our dataset. First, we expanded our monitoring of changes made to plugins to spot more of those situations. Second, we started releasing posts with the details of those vulnerabilities, which allows us to provide more information on the vulnerabilities to our customers than we otherwise could. That has also led to us spotting additional vulnerabilities in those plugins, just as we have when reviewing reports for other vulnerabilities.

While putting together a post on a vulnerability that had existed in the plugin Invite Anyone we noticed another related vulnerability. The original vulnerability involved a lack of enforcement of an admin set restriction on users setting the subject and message of invite email sent through the plugin. While looking into the details of that vulnerability we noticed that the plugin also didn’t enforce access control restrictions that can be set for sending invite emails through the plugin. While the relevant page for sending emails was not shown to user that should not be able to send them, a user could still send a request to cause those emails to be sent. The sending of emails also lacked protection against cross-site request forgery (CSRF), which would have had the impact of stopping those requests as well.  We notified the developer of those issues and they quickly got back to us and they have now released version 1.3.16, which resolves the vulnerabilities. [Read more]