When it comes the security of WordPress plugins the unfortunate reality is that the same problems occur over and over and yet it seems we are largely alone in being interested in trying to take actions to address those. One of the issues with that is that what we can do is limited, most of the changes require the people in charge of the Plugin Directory being willing to work with others to fix them, which isn’t happening as they seem to be detached from reality and are unwilling to even acknowledge the problems exist, much less discuss making changes to fix those problems.

One rather frequent issue with the security of WordPress plugins is that plugins designed to extend WooCommerce, which is has on 4+ millions installs, are not properly restricting access to AJAX accessible functions. Seeing as by default that plugins allows untrusted individuals to create accounts, allowing any one logged in to WordPress to access functionality only intended for high level users is of particular concern. [Read more]