Limiting information on vulnerabilities being fixed in WordPress plugins isn’t a great idea as we were reminded of this week when the discoverer of a vulnerability didn’t disclose it until after hackers had started more widely exploiting the vulnerability, leaving most everyone else in the dark about what was going on (customers of our service we were warned before the widespread hacking happened because we do the work to keep ahead of things). Another reason for providing information in a timely manner is that often vulnerabilities haven’t been fully fixed or there are more related vulnerabilities that haven’t been fixed. That is the case with the plugin WP Shopify where when went to look into the possibility that a vulnerability had been fixed we spotted what turned out to be related unfixed vulnerability before we even figured out what the vulnerability fixed was.

The additional vulnerability allows even those not logged in to WordPress to change the plugin’s settings and place malicious JavaScript code in to settings, which is referred to persistent cross-site scripting (XSS). Like an increasing number of vulnerabilities this one involves code that runs through WordPress REST API, which means it is something that would be caught if we had been hired to do a security review of the plugin. [Read more]