_{From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.}

Developers don’t always do things that make a lot of sense. Earlier this week this we detailed a same origin method execution (SOME) vulnerability in a plugin and discussed that one of the moderators had made the situation with that worse since they made it harder to get it fixed. Despite the person that disclosed claiming that it was exploited to hack a couple of websites (something we think is unlikely), it has yet to be fixed. Yesterday the developer of that plugin released an update to another one of their plugins, WooCommerce Vendors and Customers Conversation (WooCommerce Vendor and Member Conversation), which fixes the same vulnerability in that plugin by removing the outdated version of the third party library Plupload that contain a vulnerability in one of its files (located at /js/plupload-2.1.2/js/Moxie.swf in this plugin). This plugin only has 200+ active installations, according to wordpress.org, versus 10,000+ for the one that hasn’t been fixed. [Read more]