Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago. What was notable about this was that that whomever was behind those plugins should not have needed to do that to find what websites were using them because the plugins had code in them that sent an email with the address of the website whenever the plugin was activated or deactivated. That would seem to indicate that someone else had found out about these plugins and was trying to exploit them. That is significant because part of the reason that people on the WordPress team have given for not warning people about their use of known vulnerable plugins, is that the say that if they did that more people would be able to exploit the vulnerabilities, which in this case looks to be happening despite there not being evidence we could find that there had been a disclosure that all these plugins were vulnerable. Something we ran across recently seems to provide further evidence that it was not the not the person behind creating those plugins that was doing that probing and therefore someone else had found that vulnerability existed in those plugins.

As part of series of requests probing for vulnerable plugins on one of our websites recently we had a request for /wp-content/plugins/stats-wp/js/luc.ajax.geoip.js, from the plugin Stats Wp. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue. [Read more]