As we continue our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, it is important to remember that if we didn’t do full disclosure of these vulnerabilities they would still be there in the plugins and still a security risk. In fact there are currently plenty of easy to spot vulnerabilities in popular plugins, case in point is the vulnerability we are fully disclosing today, which is a reflected cross-site scripting (XSS) vulnerability in the plugin Feed Them Social that the possibility of its existence was detected by our, far from advanced, automated tool for detecting plugin vulnerabilities, the Plugin Security Checker. That plugin, which has 70,000+ active installs according to wordpress.org, was recently run through the tool and during our continuing audits of the results from that we checked on the results for the plugin.

There were multiple possible instances of reflected XSS identified, this being the last one: [Read more]