The changelog for the last two versions of the plugin Travelpayouts is “SECURITY UPDATE please update ASAP”. When we started looking at the changes made in the older of those versions to see if there was a vulnerability we should be warning customers of our service about we noticed that it look like the fix for a vulnerability was incomplete. Looking closer we found that a related issue is unfixed and leads to a vulnerability of a type hackers would exploit, a persistent cross-site scripting (XSS) vulnerability. The quality of the plugin’s code is quite poor as the vulnerable functionality doesn’t work if try you to use it as intended, so if you are planning to use this plugin it looks like it might need a lot of work.

The plugin makes the function importCsv() accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged, despite those not logged in not needing access: [Read more]