A few weeks ago we full disclosed a fairly serious vulnerability in a security plugin with 70,000+ installs designed to log WordPress user activity (probably in large due part to the people on the WordPress side of things, that vulnerability hasn’t been fixed so far), through our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we run across another logging plugin, WatchMan-Site7, that has a vulnerability of its own. Through the vulnerability an attacker that could get a logged in Administrator to access a page they control could cause a malicious file to be uploaded on the website and from they could almost anything with the website.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). [Read more]