We are currently working on a security review of a fairly popular WordPress plugin that we were hired by the developer to do. While working on that we have found a number of issues with the Redux Framework, which is a third-party library for handling the settings of WordPress plugins. We also noticed that it would be easy enough to add a check to our Plugin Security Checker to see if outdated versions of that are included in plugins being run through that tool, unlike a lot of third-party libraries, which don’t include a version number anywhere. While it might make sense to warn about usage of an outdated version, an outdated version is not necessarily insecure. In looking over the changelog of that we noticed the changelog for version 3.5.8.7 is:

Fixed: Reflective XSS security fix. Thanks to Kacper Szurek for the information. [Read more]