With the recently widely exploited WordPress plugin WP GDPR Compliance there were two serious vulnerabilities that were fixed before one of them was widely exploited, there was also another issue that was fixed and brought up in passing at the time, but we were left unclear as the seriousness of, that being ability to pass arbitrary values to the do_action() WordPress function. We really should put a post on what we found when we went to look further in to that, but the short version is that it looks like at least with what code you can cause to execute from WordPress, that this is threat looks to be somewhat limited and even more limited if user input is only used to specify the action to be executed and not additional arguments. But in any case that type of issue would be a remote code execution (RCE) vulnerability, so we updated a check included in our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and Plugin Security Checker to spot possible instances of that type of vulnerability. That led to us spotting an instance of the vulnerability in the plugin PropertyHive through our proactive monitoring.
This vulnerability has been in the plugin for 18 months without being noticed before. [Read more]