Here is what we had been doing to keep our customer’s websites secure from WordPress plugin vulnerabilities during December (and what you have been missing out on if you haven’t signed up yet):

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Twitter Cards Meta
• Authenticated persistent cross-site scripting (XSS) vulnerability in wpDataTables Lite
• PHP object injection vulnerability in Stats Counter
• PHP object injection vulnerability in Backup & Restore Dropbox
• Authenticated information disclosure vulnerability in Backup & Restore Dropbox
• Cross-site request forgery (CSRF)/database upload vulnerability in ZX_CSV Upload

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed.

• Reflected cross-site scripting (XSS) vulnerability in Check Email, discovered Antonis Manaras
• Authenticated persistent cross-site scripting (XSS) vulnerability in wpDataTables Lite, discovered by us
• PHP object injection vulnerability in Backup & Restore Dropbox, discovered by us
• Authenticated information disclosure vulnerability in Backup & Restore Dropbox, discovered by us
• Server side request forgery (SSRF) vulnerability in Nelio AB Testing, discovered by Yeo Quan Yang
• Authenticated arbitrary file deletion vulnerability in Slider, discovered by dxwsecurity

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.

• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Twitter Cards Meta, discovered by us
• Arbitrary file upload vulnerability in Delete All Comments, discovered by NinTechNet
• Authenticated SQL injection vulnerability in WP Support Plus Responsive Ticket System, discovered by Lenon Leite
• PHP object injection vulnerability in Stats Counter, discovered by us
• Authenticated SQL injection vulnerability in Simple Personal Message, discovered by Lenon Leite
• Authenticated SQL injection vulnerability in WP Private Messages, discovered by Lenon Leite
• Cross-site request forgery (CSRF)/database upload vulnerability in ZX_CSV Upload, discovered by us
• SQL injection vulnerability in 404 Plugin for WordPress, discovered by Ahmed Sherif
• SQL injection vulnerability in Simply Poll, discovered by TAD GROUP

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that were disclosed this month that we added to our data this month:

• Password reset vulnerability in Ultimate Member, discovered by James Golovich
• Reflected cross-site scripting (XSS) vulnerability in Social Pug, discovered by dxwsecurity
• Information disclosure vulnerability in WooCommerce Email Test, discovered by jansass GmbH
• Reflected cross-site scripting (XSS) vulnerability in MailChimp for WordPress, discovered by dxwsecurity
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Quiz And Survey Master, discovered by dxwsecurity
• Authenticated persistent cross-site scripting (XSS) vulnerability in wpDataTables Lite, discovered by us
• Authenticated arbitrary file deletion vulnerability in BuddyPress, discovered by Sam Pizzey (mopman)
• PHP object injection vulnerability in Backup & Restore Dropbox, discovered by us
• Authenticated information disclosure vulnerability in Backup & Restore Dropbox, discovered by us
• Server side request forgery (SSRF) vulnerability in Nelio AB Testing, discovered by Yeo Quan Yang
• Authenticated arbitrary file deletion vulnerability in Slider, discovered by dxwsecurity