Last Thursday we notified the developer of the plugin Contact Form by BestWebSoft of the results of our security review of their plugin (the plugin was chosen by our customer to receive a review from us). One of the issues we noticed was reflected cross-site scripting (XSS) vulnerability, which we also found existed in 40 other of their plugins due to the code that caused the vulnerability being shared among the plugins.

While preparing the data on the vulnerability in those plugins to add to our data set once we disclosed the vulnerability we noticed that the same issue had been fixed in 12 other plugins by the developer as of the day we notified them, so we figured that we were not the only ones that had noticed this vulnerability. Today a company named DefenseCode put out a report on the vulnerabilities (PDF), in which they state they notified the developer of the vulnerability on March 24. In their report the response from the developer states they were already aware of the issue before even then: [Read more]