via pluginvulnerabilities.com => original post link
Earlier today, we warned our customers about unfixed vulnerabilities in a WordPress plugin named Posts Like Dislike. We ran across those vulnerabilities as at least one of our customers was using the plugin and the changelog for the latest version of the plugin stated that a security issue had been fixed. Following that, we checked to see if competing data providers had also spotted that. What we found was a mess involving at least Wordfence Intelligence and possibly WordPress as well.
The latest version of Post Like Dislike added a nonce check, which prevents cross-site request forgery (CSRF), to code for resetting the plugin’s settings. The WordPress documentation for nonces is clear that is not to be used for access control: [Read more]