14 Nov

The Need and Limits of Warning That Closed WordPress Plugins Contain Security Vulnerabilities

Earlier today we full disclosed that a WordPress theme contains a vulnerability due to its inclusion of the plugin OptionTree, which we had full disclosed contained the same vulnerability last week. That plugin was removed from the Plugin Directory after the disclosure (though strangely that hasn’t happened with a security plugin that has the same [Read more]

06 Nov

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Plugin with 100,000+ Installs

The WordPress plugin pluginĀ OptionTree recently came on to our radar through our monitoring of indications that changes made to plugins have fixed security issues, as it was included in another plugin and this plugin’s last changelog indicated a security issue had been fixed in the latest version (the relevant vulnerability was already had in our [Read more]