As part of keeping track of vulnerabilities in WordPress plugins, we monitor if any of the 1,000 most popular plugins on the WordPress Plugin Directory are closed, in case that might be due to a security vulnerability. On Monday, one of those plugins, wpCentral, was closed. No reason has been given for that closure so far, but in a quick check over the plugin, we found a security vulnerability that could have led to it being removed. That vulnerability involves cross-site request forgery (CSRF) with the functionality accessible through the plugin’s settings page.

The plugin’s settings page is registered to only be accessible to users with the activate_plugins capability: [Read more]