A lot has been going on for us recently. One of those things is that we have made a big improvement to our ability to detect the possibility of vulnerabilities being fixed in plugins, so that we can add more of them to our data set. That has lead to us reviewing code changes in more plugins and finding more vulnerabilities, which are more serious than the possible issues that might have already been fixed. That today lead to us noticing that there is a PHP object injection vulnerability, which is the type of vulnerability has been the type that more advanced hackers are likely to try exploit, in the plugin WP DSGVO Tools, which has 30,000+ active installs.

Another thing that has gone on is that due to the continued inappropriate behavior by the moderators of the WordPress Support Forum we have started full disclosing vulnerabilities in WordPress plugins until such time that they stop acting inappropriately. They could have already done that and the full disclosures would have stopped, instead so far they have just decide to compound their bad behavior with more of it. What that means is that instead of contacting the developer and letting them know about the vulnerabilities, offering assistance in fixing them, and only after they have had a chance to do, disclosing them, we are just disclosing them. We then try to notify the developers of the full disclosure through the Support Forum. That isn’t a good thing, but the inappropriate behavior of the moderators of the Support Forum is much more of a problem and it needs to finally stop. [Read more]