Much like what we found with the plugin the plugin Analytics-Gtag earlier this week, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a restricted file upload in the plugin Sooqr Search, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

The plugin registers the function sooqr_save_javascript() to run during admin_init: [Read more]