Back in November we were contacted about a PHP object injection vulnerability in the plugin Post Grid that the person who contacted us had seen exploited. We didn’t include it in our data at the time since they said they were waiting on the “developer to respond etc.” before disclosing it. While looking in to that vulnerability we discovered a file deletion vulnerability in the plugin, which impacted all the version that also had the PHP object injection vulnerability, so anyone using our service or the free data that comes with its companion plugin would have been notified that they were using a vulnerable plugin at the time.
One of the reason we believe that it is important that the details of vulnerabilities in WordPress plugins be disclosed is that if others can review them that can lead to additional vulnerabilities being identified. That was the case with a recent vulnerability in the Post Grid plugin, where after being notified the details of a vulnerability (that vulnerability has yet to be publicly disclosed) we found that it pointed to a wider security issue with the plugin.