Here is what we have been doing to keep your website secure from WordPress plugin vulnerabilities this week:

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Week

• Remote code execution (RCE) vulnerability in wSecure Lite
• Arbitrary directory download vulnerability in Download Plugin
• Arbitrary directory download vulnerability in Download Theme
• Local file inclusion (LFI) vulnerability in MailPress
• Capabilities change vulnerability in MailPress

Plugin Vulnerabilities We Helped Get Fixed This Week

• Privilege escalation vulnerability in Simplr Registration Form Plus+

 

Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins

• Cross-site request forgery (CSRF)/settings change vulnerability in Lazy content Slider, discovered by Persian Hack Team
• Remote code execution (RCE) vulnerability in wSecure Lite, discovered by us
• Arbitrary directory download vulnerability in Download Plugin, discovered by us
• Arbitrary directory download vulnerability in Download Theme, discovered by us
• Local file inclusion (LFI) vulnerability in MailPress, discovered by us
• Capabilities change vulnerability in MailPress, discovered by us

Additional Vulnerabilities Added This Week

• Persistent cross-site scripting (XSS) vulnerability in All in One SEO Pack, discovered by David Vaartjes
• Cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in Ultimate Member, discovered by Burak Kelebek
• Authenticated information disclosure vulnerability in WP Maintenance Mode, claimed to be discovered by Wordfence
• Authenticated settings reset vulnerability in WP Maintenance Mode, claimed to be discovered by Wordfence
• Persistent cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Han Sahin
• Persistent cross-site scripting (XSS) vulnerability in Activity Log, discovered by Han Sahin
• Reflected cross-site scripting (XSS) vulnerability in Profile Builder, discovered by Yorick Koster
• Reflected cross-site scripting (XSS) vulnerability in Email Users, discovered by Yorick Koster
• Reflected cross-site scripting (XSS) vulnerability in Master Slider, discovered by Yorick Koster
• Cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in Easy Forms for MailChimp, discovered by Yorick Koster
• Cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in WP Fastest Cache, discovered by Yorick Koster
• Persistent cross-site scripting (XSS) vulnerability in All in One SEO Pack, discovered by Wordfence
• Reflected cross-site scripting (XSS) vulnerability in Google Forms, discovered by Yorick Koster
• Reflected cross-site scripting (XSS) vulnerability in Simple Membership, discovered by Yorick Koster
• Reflected cross-site scripting (XSS) vulnerability in Top 10, discovered by Yorick Koster