via pluginvulnerabilities.com => original post link
Yesterday, we highlighted some of the problems we found when looking at the data on plugin vulnerabilities coming from Wordfence’s new Wordfence Intelligence Community Edition. That is data they were previously trying to sell access to as part of something called Wordfence Intelligence and now are providing for free. We thought to check on another recent situation and found yet another serious problem, but not an all that surprising one, considering the generally poor quality of data on WordPress plugin vulnerabilities.
On October 21, the developer of the plugin Image Hover Effects introduced a change to a plugin with the commit message “fixed Vulnerability issue”. As at least one of our customers used that plugin, we checked over that and found that the plugin contained a serious vulnerability related to the change made, which hadn’t been fixed. That vulnerability would allow anyone logged in to WordPress to cause malicious JavaScript code to run on the website. We warned our customers and contacted the developer of the plugin about that the next day. The developer responded at the end of the month, saying that they were working to address that, but it still hasn’t been addressed. [Read more]