From what we have seen, WP Engine has a reputation for having a good handle on security, despite having a bad track record going back many years. In line with that track record, we found that the WordPress plugin they released on the WordPress Plugin Directory last week, Pattern Manager, lacks a basic security check leading to a minor vulnerability.

In the file /wp-modules/editor/model.php, the plugin registers for the function redirect_pattern_actions() to be accessible to even those not logged in to WordPress: [Read more]