via pluginvulnerabilities.com => original post link
When reviewing security changes being made in WordPress plugins used by our customers, it isn’t uncommon for us to find that developers have failed to fully fix the vulnerabilities, or as was the case recently with a plugin with 300,000+ installs, the have failed to fix the vulnerability at all. What we also are often seeing is that plugins are missing a basic security check when having plugin functionality accessible through WordPress’ AJAX system.
One recent example of that we ran across involved a plugin named Log HTTP Request. It registers two functions accessible through WordPress AJAX functionality to anyone logged in to WordPress: [Read more]