A lot of things can go wrong in trying to fix vulnerabilities in WordPress plugins, sometimes things go wrong in an intentional way. That is the case with a vulnerability in the 1+ million install WordPress plugin Loco Translate. A week ago, the developer submitted a change for the plugin that fixes a vulnerability in the plugin. What they didn’t do was to release a new version of the plugin so that those using the plugin can update to a fixed version. While sometimes developers forget to bump the version number of the plugin, causing that situation. Here the developer is making changes to the plugin publicly before releasing a new version. That isn’t a good idea for security vulnerabilities, since it is possible to monitor for security changes, as we do, and notice such a situation.

In the submission to fix the vulnerability, the developer wrote “Fixed a missing security check – thanks Nosa Shandy.” The referenced security check is a nonce check, which prevents cross-site request forgery (CSRF). CSRF would allow an attacker to cause someone else to take an action they didn’t intend to. The vulnerability being fixed allowed that to occur when changing or resetting the advanced configuration options of a plugin or theme translation bundle from the plugin. [Read more]