Yesterday, the WordPress plugin Shapely Companion was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.

The plugin registers the function shapely_companion_import_content() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]