Earlier today we detailed a failed attempt to fix a reflected cross-site scripting (XSS) vulnerability in the latest version of Smart Forms. When putting together a post detailing a vulnerability discovered by others, we check to see if that vulnerability is something that would have been caught by our Plugin Security Checker, an automated tool anyone can use to check to see if a WordPress plugin possibly contains security issues, so that we can continue to improve that tool. With this plugin we found the code that was attempted to be fixed was flagged by the tool and an additional line of code that wasn’t changed in the latest version of the plugin was also flagged. Further checking confirmed that additional line was also vulnerable.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community. [Read more]