Several weeks ago we detected what look to be someone probing for usage of the plugin Simplr Registration Form Plus+ on one of our website, which is usually an indication that a hacker is aware of an exploitable vulnerability in the plugin. Checking over the plugin we found that there was a vulnerability that would allow someone creating a WordPress account through the plugin to create an account with user specified role instead the role they were intended to have. You could not create an account with the Administrator role, but you could create one with the Editor role (or on a website with custom roles, those as well). Since Editor level users have access to capabilities that could introduce additional security issues, that was a pretty serious issue.
We recently had a request for a file from the plugin Simplr Registration Form Plus+, /wp-content/plugins/simplr-registration-form/assets/simplr_reg.js, on one of our websites. A request for a file from plugin that isn’t installed on a website is usually an indication that someone is probing for usage of a plugin to try to exploit a vulnerability in it. After seeing the request we went looking for what the hacker might be looking to exploit in the plugin so that we could make sure it was in our data set. Since the plugin handles registering users a security issue with it is a big concern. We didn’t have any vulnerabilities for the plugin already in our data set, we couldn’t find any public reports of vulnerabilities, and the plugin hasn’t been updated in five months so a vulnerability wasn’t recently fixed in it. At that point we started to review the plugin for a security vulnerability that hackers might be interested in exploiting.