Several weeks ago we detected what look to be someone probing for usage of the plugin Simplr Registration Form Plus+ on one of our website, which is usually an indication that a hacker is aware of an exploitable vulnerability in the plugin. Checking over the plugin we found that there was a vulnerability that would allow someone creating a WordPress account through the plugin to create an account with user specified role instead the role they were intended to have. You could not create an account with the Administrator role, but you could create one with the Editor role (or on a website with custom roles, those as well). Since Editor level users have access to capabilities that could introduce additional security issues, that was a pretty serious issue.
The response time in dealing with this wasn’t great. The developer only attempted to patch the vulnerability vulnerability two weeks after we had notified them. Before that it took a week for the Plugin Directory to remove the plugin from the directory, until it was fixed, after we had notified them. [Read more]