We recently started looking to see if some of the most popular WordPress plugins on the Plugin Directory had easy to find vulnerabilities, the results show that they do. While writing up a post on that we were reminded of the time last year we found a plugin with a known vulnerability that was also a plugin included in the WordPress.com VIP service. For a service that people pay thousands a month for, it didn’t seem that their claims about security meant much. After be reminded of that we were thinking that it would be interesting to see if the plugins from the Plugin Directory they include in that service had any easy to find security issues in them as well.

Before we even started to do that we realized we had already just found one due to our parallel look at the most popular plugins on the Plugin Directory. While looking for a related issue we had found that the Lightbox Plus Colorbox plugin (the linked page is currently missing due to the plugin being removed from the Plugin Directory, but the WordPress.com VIP page for it is still up now) has a cross-site request forgery (CSRF) / cross-site scripting (XSS) vulnerability. While this type of vulnerability is not something that is currently being widely exploited, it is fairly concerning that a plugin that has over 300,000+ active installations, according to WordPress.org, is failing to take some fairly basic security measures. Those being the use of WordPress’ protection against cross-site request forgery and the lack of sanitization of user input. [Read more]