WordPress security providers have been claiming for years that the security of WordPress plugins is improving. Here was how the WP Tavern put it as coming from Patchstack in March:
The report emphasized that the increase in the number of vulnerabilities reported means that ecosystem is becoming more secure as the result of more security issues being found and patched. [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during September (and what you have been missing out on if you haven’t signed up yet): [Read more]
We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across a PHP object injection vulnerability in the Email Verification module of the plugin Booster for WooCommerce.
When the Email Verification modules is enabled (it and all of the other modules are disabled by default) the function process_email_verification() in the file /includes/class-wcj-emails-verification.php is run during init: [Read more]