Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the plugin WP Buddha Free Adwords Plugin (Free Adwords Campaigner), which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it contained an authenticated option update vulnerability that was in older version of the Freemius library, which has been widely exploited.

Yesterday when we went to double check on that we found that the plugin didn’t actually work when installed, since the developer has placed most of the files in the wrong place in the Subversion repository for it. But when we pulled a copy of the files from the Subversion repository and moved them to the correct location we confirmed that the vulnerability is exploitable. That issue has now been fixed and the vulnerability remains in the plugin. [Read more]