On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.

The second plugin we noticed it in is Simple Link Directory. That plugin includes OptionTree in the directory “option-tree” and when this plugin is active it loads OptionTree with this line in the plugin’s main file: [Read more]