The plugin WP Private Content Plus was closed on the Plugin Directory on the 23rd. The plugin has 9,000+ installs, so it falls below our monitoring threshold of closed plugins. Yesterday a new version was submitted to the Plugin Directory with a changelog entry “Fix security issues related to settings” and a Subversion commit “Version 2.0 with major security fixes”. The closure would appear to be due to NinTechNet having reported to the team running the Plugin Directory a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which was fixed in the new version.

…

[Read more]