Yesterday, a new version of the WordPress plugin Enable Media Replace was released. The changelog for the new version was “Fix: A potential “Reflected Cross-Site Scripting” vulnerability has been patched, responsibly disclosed by the PatchStack team.” The developers claim that a “potential” vulnerability had been fixed turned out to not be true. As there was an actual vulnerability. We also found the code in the plugin still isn’t properly secured and we have notified the developer of that.

…

[Read more]