Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up and only trying to notify the developer through the WordPress Support Forum. That creates more of a problem if the vulnerabilities are likely to be exploited, like the arbitrary file viewing vulnerability we disclosed yesterday in the plugin WebP Express is. Thankfully with that type of vulnerability it usually doesn’t lead to websites being hacked. You would think that someone on the WordPress side of things might step in to make sure the moderators behavior is cleaned up so that these full disclosures can end, or barring that, make sure to keep on top of these disclosures to avoid those causing major issues. That doesn’t appear to be the case.
Earlier today we noted in detailing an arbitrary file viewing vulnerability that had been fixed in a WordPress plugin that in looking at the code from that we made improvement to our detection of that type of vulnerability in our proactive monitoring of changes being made to plugins to try to catch serious vulnerabilities when they are introduced in to plugin and our Plugin Security Checker. It didn’t even take a day before that improvement allowed us to spot an arbitrary file viewing vulnerability in the plugin WebP Express through that proactive monitoring. That type of vulnerability is likely to be exploited, though usually doesn’t cause website to be hacked.