via pluginvulnerabilities.com => original post link
Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be checked over carefully. It turned out that not all the fixes had been properly implemented. That led to a vulnerability still being in the plugin. One of those was a logic failure in a nonce check to prevent cross-site request forgery (CSRF). Developers need to make sure their nonce checks work if either a nonce isn’t sent or if it is wrong. Otherwise, there still can be CSRF vulnerability, as a valid nonce needs to sent and validate to prevent that type of vulnerability.
Here was a nonce check that was added: [Read more]