24 Dec 2018 by Karim El Ouerghemmi
Finding a critical vulnerability in one popular WordPress plugin and exploiting it in the wild could allow attackers to easily hijack thousands to millions of websites. An example of this could be observed lately in the case of the popular plugin WP GDPR Compliance. One plugin thus represents a single point of failure for all the websites using it. However, in matters of risk to the WordPress ecosystem, there is something more outreaching than the security of popular plugins: the security of WordPress.org. In this blog post, we investigate a critical stored XSS vulnerability on the WordPress.org website we have reported to the WordPress security team in May of this year.