Plugin Security Certification (PSC) by CleanTalk

When it comes to managing and presenting your website’s authors, security should always be a top priority. The “Authors List” plugin, now at version 2.0.3, not only simplifies the process of displaying a list or grid of post authors (or any other user role) but also places a strong emphasis on security. In this article, we delve into the security enhancements of this plugin and highlight its prestigious “Plugin Security Certification” (PSC) awarded by CleanTalk.

While conducting a comprehensive evaluation of the User Private Files plugin, a significant security vulnerability was identified – “Insecure Direct Object References (IDOR).” This vulnerability allows malicious actors to access someone else’s folders, download files without consent, and potentially expose sensitive data. Even users who have never shared their files are at risk. Remarkably, this security flaw can be exploited by users with minimal privileges, such as “Subscribers,” provided that a page with the plugin’s shortcode exists on the website or by “Contributors” when creating a page with the plugin.

During a comprehensive assessment of the Memberlite Shortcodes plugin, a critical vulnerability was uncovered. This vulnerability enables threat actors to execute Stored Cross-Site Scripting (XSS) attacks by leveraging a shortcode within a new post. This security flaw has the potential to result in an account takeover, particularly when exploited by a contributor.

During the rigorous testing of the Photos and Files Contest Gallery – Contact Form plugin, a critical vulnerability was identified. This vulnerability allows unauthorized users to trigger a Stored Cross-Site Scripting (XSS) vulnerability, subsequently elevating their privileges to the administrator role. The root cause of this vulnerability lies in X-Forwarded-For Header Injection.