Our second publicly disclosed vulnerability report follows our first in that in both cases we found the vulnerabilities while reviewing reports of another vulnerability, which might be a good indication of the state security for WordPress plugins. In this case, while we trying to trying to set up plugin Resume Submissions & Job Postings plugin to test the vulnerability we ran across a forum post indicating that was some form of cross-site scripting (XSS) vulnerability in the resume form. After a little testing we were able to confirm there was in fact a persistent XSS vulnerability in the plugin.
With our service we don’t throw new reported vulnerabilities in to our data, we actually test out each vulnerability. That means we can tell you which versions are vulnerable, we can exclude false reports of vulnerabilities, and probably most importantly determine if the vulnerability has actually been fixed. The last one is big distinction between us and other similar services. It also help to improve the security of the WordPress ecosystem, because if we don’t do it, it doesn’t look in many cases that anyone else will, as an unfixed vulnerability from 2012 we recently ran across shows.