As part of our monitoring the security of plugins used by our customers, we have a system that alerts us if plugins used by customers have been removed from the WordPress Plugin Directory. A common cause of those removals is security issues (or at least claimed security issues). That brought the plugin Newsletter Glue to our attention recently, which was closed in August. The removal reason given is “Author Request”, but we wanted to make sure there wasn’t a serious vulnerability in the plugin as well.

What we found is that the plugin contains a minor vulnerability because of a lack of basic security. We also ran across other security problems with the plugin. For example, the plugin registers functions to be accessible via AJAX by those not logged in (in addition to those logged in) despite them only allowing users with the manage_options capability to access their functionality. If you are concerned about security, we would recommend not using the plugin unless it has a thorough security review done and all issues addressed. [Read more]