If you were not too familiar with the security industry you would probably assume that if a company is the developer of a WordPress security plugin then other plugins they make would be quite secure. That turns out to not be the case with the developer of the Security Ninja plugin. Yesterday we full disclosed a minor vulnerability in one their other plugins, Google Maps Widget, which has 100,000+ installs according to WordPress.org. Then today we saw that they fixed a similar issue in another of their plugins, Minimal Coming Soon & Maintenance Mode, which has 60,000+ installs. In a reminder of how insecure some plugins are (even if the developer also has a security plugin), when we looked at the code being changed to fix that we noticed that in the same function there is another more serious vulnerability, one that wasn’t fixed.
This post provides the details of a vulnerability in the WordPress plugin Minimal Coming Soon & Maintenance Mode not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to customers of that service. If you are not currently a customer, you can sign up for free here and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.