Last week we noted that the most popular WordPress security plugin, Jetpack, was insecurely using PHP’s extract() function. It turns out that it isn’t alone among the most popular WordPress plugins, as running the 100 most popular plugins in the WordPress Plugin Directory through our Plugin Security Checker identified four more plugins that are similarly insecure. Jetpack is the most popular with 5+ million installs according to WordPress’ stats, but the others are also have large install counts:

• Advanced Custom Fields: 2+ Millions Installs
• CookieYes GDPR Cookie Consent & Compliance Notice: 1+ Million Installs
• MetaSlider: 700,000+ Installs
• Ocean Extra: 700,000+ Installs

As we noted in the previous post, the documentation for the extract() function has this warning: [Read more]