With WordPress plugins that should have obvious heightened security risk we have often found that the security is poor, maybe even poorer that the average plugin. The authenticated PHP object injection vulnerability we ran across in the plugin Backup and Staging by WP Time Capsule is a good example of that insecurity.

On Friday there was a security change made related to PHP object injection to one of the most popular WordPress plugins, Formidable Forms, which has 200,000+ installs. The relevant code seemed to be something that should have been flagged by our Plugin Security Checker and proactive monitoring, but we found that it wasn’t due to usage of an alternate function to what is usually used with vulnerable code. Its usage is so uncommon that according to a search of all the plugins in the WordPress Plugin Directory using WPdirectory it was only one of three with the same basic set up. One of the other plugins was Backup and Staging by WP Time Capsule. At first glance the code in that plugin looked like it would of limited security concern, but further checking showed multiple security failures allow anyone logged in to WordPress that can access the admin area is able to exploit it. [Read more]