The WordPress plugin WP Google Map, which has 20,000+ installs, recently came on to our radar due to obfuscated code in the plugin. That code has now been removed, but when we went to check on that, we noticed the plugin had a vulnerability right below the code containing the obfuscation. What makes that stand out more is that is still there after multiple security updates to the plugin. Here are the most recent changelog entries for the plugin, with only one of those versions, 1.8.2, not referencing a security change being made:

1.8.5

• Code Optimization
• Security enhancement

1.8.4

• CSRF issue fixing
• Tabs UI update
• Marker Icon preview issue fixing
• DB query and code optimized

1.8.3

• Ajax Security issues resolved
• Marker Edit page minor bug fixing

1.8.2

• Clickable marker infowindow introduced.

1.8.1

• Hot fix: Security issue fixed.

1.8.0

• Multiple Marker system introduced.
• Complete Admin UI updated for a better experience.
• Datatable introduced for Map and Marker listing.
• Added advanced option for API load restriction, prevent other map API loading with user consent.
• Support page modified for better support.
• Marker Description and Image attachment support implemented.
• Security improvement.

1.7.7

• Minor bug fixing
• Autoloader class implemented
• Map control options added(disable zoom, disable street view option, disable drag, disable double click zoom, disable pan control)
• Security improvement
• Appsero SDK implement for prompt support to users

Cross-Site Request Forgery/Settings Change

The plugin registers a settings page to be accessible to Administrators with the following code: [Read more]