Here is what we had been doing to keep our customer’s websites secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet):

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

• File deletion vulnerability in Post Grid
• Cross-site request forgery(CSRF)/file deletion vulnerability in XCloner
• Authenticated remote code execution (RCE) vulnerability in NextGEN Gallery

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed.

• File deletion vulnerability in Post Grid, discovered by us
• Cross-site request forgery(CSRF)/file deletion vulnerability in XCloner, discovered by us
• Authenticated remote code execution (RCE) vulnerability in NextGEN Gallery, discovered by us

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.

• PHP Object Injection Vulnerability in Google Analytics Counter Tracker, discovered by Unknown
• SQL injection vulnerability in Answer My Question, discovered by Lenon Leite
• SQL injection vulnerability in Product Catalog 8, discovered by Lenon Leite
• Authenticated SQL injection vulnerability in MiniCart, discovered by Lenon Leite
• SQL injection vulnerability in BBS e-Franchise, discovered by Lenon Leite
• Reflected cross-site scripting (XSS) vulnerability in Check Email, discovered Antonis Manaras
• Reflected cross-site scripting (XSS) vulnerability in WP Whois Domain, discovered by ControlScan
• SQL injection vulnerability in WA Form Builder, discovered by Lenon Leite
• Local file inclusion vulnerability in WP Vault, discovered by Lenon Leite

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that were disclosed this month that we added to our data this month:

• Reflected cross-site scripting (XSS) vulnerability in Calendar, discovered by Remco Vermeulen
• Persistent cross-site scripting (XSS) vulnerability in WassUp Real Time Analytics, discovered by Burak Kelebek
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Caldera Forms, discovered by Jurgen Kloosterman
• Persistent cross-site scripting (XSS) vulnerability in 404 to 301, discovered by Alyssa Milburn
• File deletion vulnerability in Post Grid, discovered by us
• Cross-site request forgery(CSRF)/file deletion vulnerability in XCloner, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in All In One WP Security & Firewall, discovered by Yorick Koster
• Authenticated SQL injection vulnerability in Sirv, discovered by Lenon Leite
• Reflected cross-site scripting (XSS) vulneraility in Huge IT Portfolio Gallery, discovered by Antonis Manaras
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Instagram Feed, discovered by Sipke Mellema
• Authenticated persistent cross-site scripting (XSS) vulnerability in WP Canvas – Shortcodes, discovered by Yorick Koster
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in WP Google Maps, discovered by Sipke Mellema
• Server side request forgery (SSRF) vulnerability in W3 Total Cache, discovered by Jouko Pynnönen
• SQL injection vulnerability in Olimometer, discovered by TAD GROUP
• Reflected cross-site scripting (XSS) vulnerability in Huge IT Portfolio Gallery, discovered by Rob Carr
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in  Huge-IT Gallery, discovered Sipke Mellema
• Authenticated remote code execution (RCE) vulnerability in NextGEN Gallery, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Insert Html Snippet, discovered by Yorick Koster
• PHP object injection vulnerability in YITH WooCommerce Compare, discovered by Yorick Koster