One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, isĀ our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, an authenticated option update vulnerability, being fixed in the plugin Page View Count.
…
Last week we had what looked to be a hacker probing for usage of the WordPress plugin Page View Count, which has 20,000+ installs, on our website. While there is a vulnerability that was recently fixed that could explain a hacker targeting the plugin, we did a quick check over the plugin. We found the plugin is lacking basic security and contains at least one vulnerability, a settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found addressed.
When the plugin is active, an instance of the class Admin_UI in the file /admin/admin-ui.php is initialized. That causes the __construct() function in the class to be run, which in turn causes the function update_google_map_api_key() in the file to be run: [Read more]
The two latest version of the WordPress plugin Page View Count have been indicated by their changelogs to have security improvements. The element that stood out to us as likely relating to a vulnerability was this changelog entry:
…