The WordPress Funnel Builder by CartFlows plugin, which has 30,000+ active installations, fixed a privilege escalation vulnerability affecting version 1.3.0 and below.
A few days ago I found the following directive inside the WordPress configuration file of one of our customers: define(‘RELOCATE’, true);
An authenticated settings change vulnerability in the YIT Plugin Framework v3.3.8 and below, used in several dozen WordPress plugins, could allow logged-in users to change the plugin options.
The WordPress GiveWP plugin, which has 70,000+ active installations, fixed several vulnerabilities affecting version 2.5.9 and below.
Multiple plugins offering to convert WordPress’ default plain text emails to HTML format were found to be vulnerable to HTML injection, which could lead to phishing or CSRF attacks.