One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used to try to spot the possibility of those, most of the vulnerabilities found so far have come from only two of those. Recently though another one of those caught a vulnerability in the plugin VendorFuel that allows anyone to rewrite the contents of a .css file that is part of the plugin.

The code that causes that is at the beginning of the file /admin-pages/styling.php: [Read more]