One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We also run all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. Through that, we caught an authenticated post deletion vulnerability in the 200,000+ install plugin CartFlows. Our customers were already protected from the vulnerability, as our Plugin Vulnerabilities Firewall plugin provides protection against this type of vulnerability without us having to write a rule for a specific vulnerability.

By default, the plugin restricts access to the admin portion of the plugin’s interface to Administrators, but it has a user role manager that allows providing lower-level users access. If users are given “Limited Access” they “Can create/edit/delete/import flows and steps only.” With the ability to delete the plugin’s flows, they can delete any post on the website. [Read more]