Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, unfortunately so far that hasn’t happened. Instead they have continued apace doing downright strange stuff, like deleting people just saying thank you, and inappropriate stuff, like continuing to violate their own guidelines to promote certain security companies to clean up hacked websites (and lying in the process since the companies  they promote as “reputable” are any but, as one of them lies all the time and the other doesn’t even attempt to properly clean up hacked websites). Now comes the time when their refusal to clean up their act is likely to have a huge consequence.

Last week an option update vulnerability in the plugin WP GDPR Compliance was widely exploited after it was fixed. After that happened we went to do some checks over the 1,000 most popular WordPress plugins related to that, while looking into improving our automated tool for detecting possible security issues in plugin, the Plugin Security Checker, and we found that the plugin Kiwi Social Share also has the same type of vulnerability. [Read more]