Recently we ran across a vulnerability that had just been fixed in a plugin that allowed deactivating arbitrary WordPress plugins. That is a big concern for firewall plugins, like the one we recently released, as an attacker could disable the plugin and then take actions they would otherwise be unable to take because of the firewall. Making it more of a concern, testing we did after finding that, showed that most security plugins didn’t protect against that. We have put in place protection for that in our firewall plugin, which will be released with the next version of our plugin, but based on past experience, other security plugins likely won’t address that.

After seeing that vulnerability, we updated our automated tools, including our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, to detect some instances of that. Because of that update to our proactive monitoring, we were alerted to an authenticated instance of that in the plugin Userplace. [Read more]