The WordPress plugin Menteor Slides was closed on the WordPress Plugin Directory yesterday. As at least one customer of ours is using the plugin, we were alerted to the closure. No explanation has been given for the closure, but we found that it contains an authenticated persistent cross-site scripting vulnerability. Which, according to WPScan, was already found by Lana Codes. That vulnerability is caused by the plugin’s shortcode functionality.

…

[Read more]