via pluginvulnerabilities.com => original post link
Recently, we noted again that evidence keeps running counter to the claim made by the WordPress security provider Wordfence that more vulnerabilities being found in WordPress plugins were an indication that things were getting better because newly introduced vulnerabilities were not being found. As plenty of new vulnerabilities are being introduced, but often they go unnoticed. What also stands out from those examples of newly introduced vulnerabilities is that WordPress plugin developers are not running their plugins through automated testing that could catch serious vulnerabilities and then fixing the issues identified.
The latest example of that involves a developer named WPDeveloper. That developer has plugins with at least 2.7 million installs, according to wordpress.org data. A lot of the install count comes from a plugin named Essential Addons for Elementor, which is one of two 1+ million install count plugins they offer. That plugin had a vulnerability that was widely exploited in May. The exploitation occurred right after the WordPress security provider Patchstack disclosed how the vulnerability could be exploited only hours after it was fixed. [Read more]