You must not have looked very hard for my email address since it appears in the header of every file in the plugin.
I will take a look at this over he weekend.
I did not download the plugin. I checked your WordPress profile and your website.
You’re welcome by the way. >_>
Don’t get me wrong, I appreciate the heads up and I will fix it. What I took issue with is the lack of attempt to contact me. I am pretty easy to find.
What is your affiliation with Vapid Labs?
I have attempted to replicate the vulnerability on my own site and I cannot as I don’t know the value to use for the ABSPATH argument. Without this value, the PHP simply fails. I suspose on some sites the value could be guessed but on many it won’t be easy to do so.
Fixed in v1.45-beta-3 which will be released to production fairly soon.
My sincere apologies Mike, the mail I attempted to send you was stuck on my mail relay do to a hardware failure. I’ve been conditioned to expect that most developers ignore or don’t respond to my emails.
I have released v1.45 which addresses this security problem.
