One of the changelog entries for the latest version of WPeMatico RSS Feed Fetcher is “More security enhancements and minor changes to WP standards.Op”. Looking at the changes made in that version we found that it fixed an authenticated server side request forgery (SSRF) vulnerability and a related cross-site request forgery (CSRF)/server side request forgery (SSRF) vulnerability.
…
As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There seems to be an ongoing hacker campaign exploiting previously undisclosed vulnerabilities as in the past couple of weeks there have eight plugins that we have seen hackers newly probing for and number nine is WPeMatico RSS Feed Fetcher (WPeMatico), for which there was probing on our website today by requesting these files:
In looking at the plugin we found that, like a number of the other plugins, it contains a persistent cross-site scripting (XSS) vulnerability. [Read more]