via pluginvulnerabilities.com => original post link
Last month we wrote about how one of our competitors in providing data on vulnerabilities in WordPress plugins was copying inaccurate data from another provider. That involved a vulnerability in a plugin named Auto Affiliate Links, which hadn’t been fully fixed. The developer later responded in the comments that they hoped the issue had by then been fully resolved. We responded that it hadn’t. Days ago, the developer released a new version with the changelog stating “Tested and updated to work with WordPress 6.4.2”. That seemed odd, as usually minor updates to WordPress don’t make changes that plugins would need to be changed to address. It turned out that they were doing further addressing of the vulnerability.
If you look at the changes made in the new version, the changes were to add two nonces, add one nonce check, and change the tested up to version WordPress 6.4.2. The first two changes are related to addressing the cross-site request forgery (CSRF) vulnerability. The last change isn’t actually necessary, developers can simply list their plugin as being compatible with WordPress 6.4 and they don’t need to keep changing that for every minor version. [Read more]