In date of 26th june 2015, i doscovered the plugin WP Rollback. This plugin allow you to install an older version of one of your plugins from the official repository.
Since i wanted to use this plugin, i had to check its security. Remember that if i don’t do that, then i have to remember that installing a plugin is like include a PHP script from someone i don’t know, without looking at the code, impossible for mi.
No argument have been sanitized or escaped, it displays the whole content from the
$_GETparam passed in the URL bar.
This XSS vulnerability had a DREAD of 4.4/10, critical.
Then comes for me the idea od testing if i can force an admin to update a plugin in 1.0. And yes, badly it works because there is no security tokens (nonces) on the plugin install link.
Worse, we can even force the installation of any plugin from the repository.
This CSRF vulnerability had a DREAD of 4.4/10, critical.
Plugin developpers managed this very quickly and a patch is already out. You have to download the 1.2.3 minimum to avoid this flaws.