Recently we added checks for possible local file inclusion (LFI) vulnerabilities to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins and considering the state of security of WordPress plugins in probably isn’t surprising we already caught another vulnerability of that type. Specifically we caught an authenticated local file inclusion (LFI) vulnerability in Shortcode Factory, which could also be exploited through cross-site request forgery (CSRF). The vulnerability had been in the plugin for nearly four years without getting noticed before.

Our Plugin Security Checker will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]