Recently, what has probably been the most important way we have been finding new vulnerabilities in WordPress plugins, so that we can notify our customers and they can take appropriate measure to protect themselves, has been by monitoring our websites for what looks to be probing for the usage of plugins. That usually indicates that a hacker is looking to exploit a vulnerability. Yesterday we had requests across our websites for the file /wp-content/plugins/form-lightbox/colorbox/style-1/colorbox.css, which is part of the plugin Form Lightbox and according to wordpress.org it has 10,000+ active installs.

A quick look through the plugin’s files for what would be of interest to hackers brought us to the file /ajax.php. That file starts up WordPress and then allows the requester to update and delete WordPress options: [Read more]