Vulnerable Plugins
There are thirty four issues this week, with four unfixed. The most critical this week is an unfixed Arbitrary Password Reset vulnerability with the Ultimate Members plugin. Since this is a premium plugin, I do not have access to the source to verify. According to the disclosure, the vendor has stated the fix will be included in version 2.4 some time in September. If you use this plugin, I encourage you to ask the vendor about this closure and when a fix will be released as this is a critical vulnerability. In addition, there is a Cross-Site Request Forgery to Remote Code Execution vulnerability in Widget Logic (fixed as of version 5.10.2), and a Cross-Site Request Forgery to Settings Update vulnerability in the same plugin that is unfixed as of this posting. Last, an Unauthorized Settings Update (fix available) in Block WP Login that allows an attacker to disable the protection offered by the plugin.
View this week's vulnerable plugins list.
Other Security News
Wanted to just quickly mention that Wordfence has a great interview with Ryan Dewurst who has contributed greatly to the wpscan tool, as well as being the maintainer of the wpvulndb.com database. Definitely check it out.