Today, Patchstack claimed there was a cross-site request forgery (CSRF) vulnerability in the latest version of the WordPress plugin Template Debugger, but didn’t provide the information needed to check on their claim. In looking into this, we found what probably is what they are labeling as a CSRF vulnerability, but it is actually a much more serious vulnerability. The vulnerability allows an attacker to run arbitrary code on the website.

…

[Read more]