The unfortunate reality when it comes to WordPress plugins is that there are lots of security issues in them, so even if the people on the WordPress side of things were not working against improving security there would be lots of problems. As an example of that, when the latest version of the plugin Patreon WordPress showed up in our monitoring of changes made to plugins that might involve security vulnerabilities being fixed we found a serious vulnerability unrelated to change we then were looking into. The change made that caused it to appear on our radar doesn’t seem related to a vulnerability, but in looking into that we happened across a PHP object injection vulnerability, which is a type of vulnerability that more advanced hackers have been known to exploit widely, that is in the current version on the plugin.

The line we noticed that might have allowed PHP object injection (located in the file /classes/patreon_routing.php): [Read more]