Back in November we announced that we would be doing security reviews of WordPress plugins selected by our customers. We recently got the first suggestions/votes for plugins to review and started doing the reviews based on the results so far (if you are a customer and haven’t suggested plugins or voted for those suggested by others you can do that here). The first review identified a number of issues, which we have notified the developer of, but so far we have not heard back from them and they have not been fixed, so we are holding back releasing the results of that at the moment. In the meantime we have completed the second review, which was done on version 2.2.1 of SSL Insecure Content Fixer.

Since we announced this feature of the service we have added one item to those that we check during the review, deserialization of untrusted data, which can lead to PHP object injection. We have recently seen several cases where that type of vulnerability either was being exploited or likely being exploited in WordPress plugins. The full list of items we checked for during the review are: [Read more]