Yesterday, the WordPress plugin Razorpay for WooCommerce was closed on the WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 70,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it contains what appears to be a very serious vulnerability.

The plugin registers four functions to be accessible through an admin post request by anyone logged in to WordPress: [Read more]