A cross-site request forgery (CSRF)/cross-site scripting vulnerability fixed in the plugin WP Open Graph is a good example of why trying to rely on changelog entries to tell if you there is a security update is included in a new version doesn’t work well as the version this was fixed in didn’t have a changelog entry. We ran across this because the CSRF portion was vaguely disclosed by the JPCERT/CC and credited to Koichi Kuriyama of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University. In looking into it we found that also involved XSS.

…

[Read more]