In a yet another of far too many instances this has happened, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a brand new plugin being introduced with a vulnerability that seems like should have been caught through the security review that is supposed to happen new plugins are allowed in the Plugin Directory. This time it is an authenticated remote code execution (RCE) vulnerability in the plugin Master Popups Lite.

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]