via pluginvulnerabilities.com => original post link
In our years of dealing with vulnerabilities in WordPress plugins, one disturbing thing that we keep running into is plugin developers who are offering security services while not securing their own plugins. It’s hard to come up with a reasonable explanation of how they would feel comfortable offering security services while not even having made sure that they are handling security well with their own software.
The latest instance of that involves a provider named EverestThemes. They offer a backup plugin that has 4,000+ installs according to WordPress. Because of the security risk posed by features that backup plugins often have, properly securing them is more important than the average plugin. Unfortunately, the plugin lacks even basic security. While looking in to a false claim by Wordfence of a vulnerability in the plugin, we ran across that. The plugin has for over two years included a vulnerability that allows an attacker to delete arbitrary files from the website. A hacker could use that to delete the WordPress configuration file and then take control of the website. [Read more]