via pluginvulnerabilities.com => original post link
Last week, we noted that the WordPress security provider Patchstack’s new “early alerts and protection” from plugin vulnerabilities involved them being weeks behind offering protection that keeping plugins updated would have provided and failing to offer that for a vulnerability likely to be exploited by a hacker. At the end of the week, they put out information on what they claimed were vulnerabilities that had existed in a plugin, Easy WP SMTP, used by at least one of our customers, so we went to check over that. What we found is that they were not vulnerabilities, as the “attacker” would already need to have control of the website, because they would need to be logged in as an Administrator.
One of those was claimed to be an authenticated arbitrary file deletion vulnerability, described this way: [Read more]