via pluginvulnerabilities.com => original post link
On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ data. An explanation for that hacker targeting could be that WPScan was claiming that there is an unfixed SQL injection vulnerability in the plugin.
As of Saturday, the only information WPScan provided was this vague description of the issue “The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users”. Without more information it would be difficult for anyone else to confirm their claim. They also stated that a proof of concept for the vulnerability would “be displayed on September 26, 2023, to give users the time to update.” Considering they were also claiming that this wasn’t fixed, there wouldn’t be any update to apply. So something seems amiss there. [Read more]