Eleven disclosures this week, with two issues unfixed, both critical. Both have been removed from the public repository.
As a point of clarification, since there seems to be some confusion: I am not the discoverer of the vulnerabilities listed in the spreadsheet. There is a column labeled Source that lists the location of where I learned of the disclosure or vulnerability. I subscribe and read hundreds of blogs, exploit databases, security lists etc. trying to find WordPress-related disclosures, and then compile them into the spreadsheet. If I discuss or expand on a particular vulnerability, I do so to help explain the vulnerability: why it’s a vulnerability, why it’s critical or how the vulnerability manifest itself.
The first critical issue in this week’s list is with the SI CAPTCHA plugin where the original developer revealed that he transferred ownership of the plugin to another developer. The new developer then proceeded to insert code into the plugin that could be used to display spam posts in a manner similar to what happened with the Display Widgets plugin. WordPress.org Admin “Otto” has released a clean version 3.0.3 with the malicious code removed but warns there will be no further updates and that you should begin looking for a replacement.