One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We continue to improve what we can detect through that, based on other vulnerabilities being discovered and disclosed. A recent improvement to that led to us finding a role change vulnerability in the plugin Affiliaa. That would allow someone logged in to WordPress to change their role, which would allow an attacker with access to a low-level WordPress account to become an Administrator. That vulnerability has been in the plugin since it was introduced in to the WordPress Plugin Directory in March 2020.

We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]