Earlier today we full disclosed that a WordPress theme contains a vulnerability due to its inclusion of the plugin OptionTree, which we had full disclosed contained the same vulnerability last week. That plugin was removed from the Plugin Directory after the disclosure (though strangely that hasn’t happened with a security plugin that has the same type of vulnerability that we disclosed yesterday, so who knows what is going on the WordPress side of things). As we noted in the post earlier today, it looks like other themes have, at least in the past, also included the plugin as part of their code. What we have also now run across is that other themes have been separately installing it. With it removed from the Plugin Directory that doesn’t work anymore.
The WordPress plugin plugin OptionTree recently came on to our radar through our monitoring of indications that changes made to plugins have fixed security issues, as it was included in another plugin and this plugin’s last changelog indicated a security issue had been fixed in the latest version (the relevant vulnerability was already had in our data set). Including this plugin in another plugin seems to be of some concern considering the plugin hasn’t been updated in two and half years. We did a little checking over the plugin and found that it has an authenticated PHP object injection vulnerability that is not only exploitable when using the plugin directly but also with the other plugin it shipped with.