Plugin Vulnerabilities Updates – Week of 7/15/2016
Here is what we have been doing to keep your website secure from WordPress plugin vulnerabilities this week:
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Week
- Remote code execution (RCE) vulnerability in wSecure Lite
- Arbitrary directory download vulnerability in Download Plugin
- Arbitrary directory download vulnerability in Download Theme
- Local file inclusion (LFI) vulnerability in MailPress
- Capabilities change vulnerability in MailPress
Plugin Vulnerabilities We Helped Get Fixed This Week
Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins
- Cross-site request forgery (CSRF)/settings change vulnerability in Lazy content Slider, discovered by Persian Hack Team
- Remote code execution (RCE) vulnerability in wSecure Lite, discovered by us
- Arbitrary directory download vulnerability in Download Plugin, discovered by us
- Arbitrary directory download vulnerability in Download Theme, discovered by us
- Local file inclusion (LFI) vulnerability in MailPress, discovered by us
- Capabilities change vulnerability in MailPress, discovered by us
Additional Vulnerabilities Added This Week
- Persistent cross-site scripting (XSS) vulnerability in All in One SEO Pack, discovered by David Vaartjes
- Cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in Ultimate Member, discovered by Burak Kelebek
- Authenticated information disclosure vulnerability in WP Maintenance Mode, claimed to be discovered by Wordfence
- Authenticated settings reset vulnerability in WP Maintenance Mode, claimed to be discovered by Wordfence
- Persistent cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Han Sahin
- Persistent cross-site scripting (XSS) vulnerability in Activity Log, discovered by Han Sahin
- Reflected cross-site scripting (XSS) vulnerability in Profile Builder, discovered by Yorick Koster
- Reflected cross-site scripting (XSS) vulnerability in Email Users, discovered by Yorick Koster
- Reflected cross-site scripting (XSS) vulnerability in Master Slider, discovered by Yorick Koster
- Cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in Easy Forms for MailChimp, discovered by Yorick Koster
- Cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in WP Fastest Cache, discovered by Yorick Koster
- Persistent cross-site scripting (XSS) vulnerability in All in One SEO Pack, discovered by Wordfence
- Reflected cross-site scripting (XSS) vulnerability in Google Forms, discovered by Yorick Koster
- Reflected cross-site scripting (XSS) vulnerability in Simple Membership, discovered by Yorick Koster
- Reflected cross-site scripting (XSS) vulnerability in Top 10, discovered by Yorick Koster