On Saturday we had what looked to be a hacker probing for usage of the WordPress plugin WPCargo, which has 10,000+ installs, on our website. While there is a vulnerability that was recently fixed that could explain a hacker targeting the plugin, we did a quick check over the plugin. We found the plugin is lacking basic security and contains multiple security vulnerabilities. The simplest to confirm and explain is an authenticated settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found addressed.

The plugin register the function update_import_option_ajax_request() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress: [Read more]