Last Thursday we started warning any customers of our service using the plugin ND Shortcodes (ND Shortcodes For Visual Composer) that there were a couple of vulnerabilities in the plugin. We warned them on the basis of one of them being fixed in a new version with the changelog “Improved nd_options_import_settings_php_function function for security reasons” (the second vulnerability is related to the fixed one). Those not using our service were not so lucky, as the plugin was at the time and remains closed on the WordPress Plugin Directory, so it isn’t possible to update the plugin normally to protect against the fixed vulnerability (we are always available to help our customer to update to a new version in a situation like that).

If you were relying on the main competing data source for vulnerabilities in WordPress plugins, the WPScan Vulnerability Database, even now you are not getting warned: [Read more]