One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability in to the plugin PollDeep.

This vulnerability isn’t all that complicated. The plugin registers the function polldeep_upload_files_to_polldeep() to accessible by anyone logged in to WordPress: [Read more]