What We Were Up to in September, 2016
Here is what we had been doing to keep our customer’s websites secure from WordPress plugin vulnerabilities during September (and what you have been missing out on if you haven’t signed up yet):
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
- Authenticated media deletion vulnerability in Import users from CSV with meta
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) in Centrora Security
- Authenticated persistent cross-site scripting (XSS) vulnerability in Centrora Security
- Persistent cross-site scripting (XSS) vulnerability in 404 to 301
- Cross-site request forgery (CSRF)/user import vulnerability in Members Import
- Cross-site request forgery (CSRF) vulnerability in WooCommerce Product Feed
- Reflected cross-site scripting (XSS) vulnerability in Quotes Collection
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability inCYSTEME Finder
- Arbitrary file upload vulnerability in N-Media Post Front-end Form
- Arbitrary file upload vulnerability in Genesis Simple Defaults
- Arbitrary file upload vulnerability in WooCommerce Extra Fields
- Arbitrary file upload vulnerability in N-Media Website Contact Form with File Upload
- Arbitrary file upload vulnerability in Front end file upload and manager Plugin
- Arbitrary file upload vulnerability in Downloads Manager
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we we work with plugin developers and the Plugin Directory to make sure that vulnerabilites get fixed.
- Cross-site request forgery (CSRF)/user import in Import users from CSV with meta, discovered by us
- Authenticated media deletion vulnerability in Import users from CSV with meta, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) in Centrora Security, discovered by us
- Authenticated persistent cross-site scripting (XSS) vulnerability in Centrora Security, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in 404 to 301, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in WP-Piwik, discovered by us
- Arbitrary file upload vulnerability in WooCommerce Extra Fields, discovered by us
- Arbitrary file upload vulnerability in Front end file upload and manager Plugin, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure, as these following vulnerabilities in the current versions of plugins show:
- Cross-site request forgery (CSRF)/user import vulnerability in Members Import, discovered by us
- Cross-site request forgery (CSRF) vulnerability in WooCommerce Product Feed, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Quotes Collection, discovered by us
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in CYSTEME Finder, discovered by us
- Authenticated persistent cross-site scripting (XSS) vulneraiblity in Advanced ads Management by Inazo, discovered by Usman Nasir
- Arbitrary file upload vulnerability in N-Media Post Front-end Form, discovered by us
- Arbitrary file upload vulnerability in N-Media Website Contact Form with File Upload, discovered by us
- Arbitrary file upload vulnerability in Genesis Simple Defaults, discovered by us
- Arbitrary file upload vulnerability in Downloads Manager, discovered by us
- SQl Injection vulnerability in Gallery Objects, discovered by Claudio Viviani
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that were disclosed this month that we added to our data this month:
- Reflected cross-site scripting (XSS) vulnerability in MailPoet Newsletters, discovered by Sipke Mellema
- Privilege escalation vulnerability in WP Front End Profile, discovered by Phil Wylie
- Arbitrary file viewing vulnerability in CYSTEME Finder, discovered by t0w3ntum
- Arbitrary file upload vulnreability in CYSTEME Finder, discovered by t0w3ntum
- Cross-site request forgery (CSRF)/user import in Import users from CSV with meta, discovered by us
- Authenticated media deletion vulnerability in Import users from CSV with meta, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) in Centrora Security, discovered by us
- Authenticated persistent cross-site scripting (XSS) vulnerability in Centrora Security, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in 404 to 301, discovered by Louis Dion-Marcil
- Information disclosure vulnerability in Order / Coupon / Subscription Export Import Plugin for WooCommerce (BASIC), discovered by David Peltier
- Arbitrary file upload vulnerability in WooCommerce Extra Fields, discovered by us
- Arbitrary file upload vulnerability in Front end file upload and manager Plugin, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in W3 Total Cache, discovered by Zerial