Earlier today an unfixed arbitrary file upload vulnerability in the WordPress plugin MStore API  was disclosed through release of exploit code for it. While the information provided with the exploit code claims the vulnerability impacts 2.0.6 and “possibly higher”, the vulnerability actually didn’t exist in that version, but does exist in the latest version of the plugin (information on which versions of the plugin are impacted is included in the data provided by our service). Earlier today the developer made a change that looks like it was an attempt to fix this, while not raising the version number of the plugin, so anyone already using the latest version of the plugin wouldn’t be provided with the attempted fix. That doesn’t matter much, as the change doesn’t fix the issue, just makes exploiting a bit more complicated.

As of posting this, the plugin remains in the WordPress Plugin Directory despite the plugin having a publicly known vulnerability that is of a type hackers are very likely to exploit. [Read more]