A SQL injection vulnerability fixed in the plugin RSVPMaker seems like a good example of why relying on changelogs to let you know if security vulnerabilities have been fixed in a WordPress plugin is not a good idea, as there is currently no changelog for the latest version of the plugin. We noticed that there might have been a vulnerability fix in that version due to the log entry left in the Subversion repository that underlies the Plugin Directory, “fix for sql injection hack”, which is something that the average user of a plugin isn’t going to monitor, but hackers easily can.

…

[Read more]