On July 18 a new version of the WordPress plugin Maintenance was released, which appeared to have a security improvement in it based on one of the changelog entries:
security fixes [Read more]
The plugin Maintenance was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a couple of less serious ones related to a more serious one. Through cross-site request forgery (CSRF) it would be possible for an attacker to cause arbitrary files to be uploaded as well as malicious JavaScript code to be saved to the plugin’s settings. There also appear to be additional security issues in the plugin.
The plugin’s admin page is accessible to those with manage_options capability, which normally only Administrators have: [Read more]