What Happened With WordPress Plugin Vulnerabilities in August 2017
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during August (and what you have been missing out on if you haven’t signed up yet):
Plugin Security Reviews
Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:
We don’t currently have any more plugins queue up for a review, so if you sign up now for the service, a plugin you suggest could be reviewed right away.
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
This month the most concerning vulnerability is a PHP object injection vulnerability in WP Smart Security, since that type of vulnerability is likely to be exploited and the vulnerability hasn’t been fixed yet.
- Authenticated PHP objection injection vulnerability in Business Directory Plugin
- Authenticated information disclosure vulnerability in Cherry Services List
- Authenticated information disclosure vulnerability in Cherry Team Members
- Arbitrary file viewing vulnerability in WP Post Popup
- Cross-site scripting (XSS) vulnerability in WP Post Popup
- Settings change vulnerability in Asgaros Forum
- Cross-site request forgery (CSRF)/Settings change vulnerability in Asgaros Forum
- PHP Object injection vulnerability in Leaky Paywall
- Authenticated information disclosure vulnerability in Advanced Contact form 7 DB
- Authenticated persistent cross-site scripting (XSS) vulnerability in FG Joomla to WordPress
- Cross-site request forgery(CSRF)/cross-site scripting (XSS) vulnerability in FG Joomla to WordPress
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Participants Database
- Cross-site request forgery (CSRF) vulnerability in wpDataTables Lite
- Cross-site request forgery (CSRF)/SQL injection vulnerability in wpDataTables Lite
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Jayj Quicktag
- PHP object injection vulnerability in WP Smart Security
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Traffic Manager
- Authenticated PHP object injection vulnerability in Slimstat Analytics
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 177,800+ active installs:
- Authenticated PHP objection injection vulnerability in Business Directory Plugin
- Authenticated information disclosure vulnerability in Cherry Services List, discovered by us
- Authenticated information disclosure vulnerability in Cherry Team Members, discovered by us
- Arbitrary file viewing vulnerability in WP Post Popup, discovered by us
- Cross-site scripting (XSS) vulnerability in WP Post Popup, discovered by us
- PHP Object injection vulnerability in Leaky Paywall, discovered by us
- Cross-site request forgery (CSRF)/Settings change vulnerability in Asgaros Forum, discovered by us
- Authenticated information disclosure vulnerability in Advanced Contact form 7 DB, discovered by us
- Authenticated persistent cross-site scripting (XSS) vulnerability in FG Joomla to WordPress, discovered by us
- Cross-site request forgery(CSRF)/cross-site scripting (XSS) vulnerability in FG Joomla to WordPress, discovered by us
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Participants Database, discovered by us
- Cross-site request forgery (CSRF) vulnerability in wpDataTables Lite, discovered by us
- Cross-site request forgery (CSRF)/SQL injection vulnerability in wpDataTables Lite, discovered by us
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Jayj Quicktag, discovered by us
- Authenticated PHP object injection vulnerability in Slimstat Analytics, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Reflected cross-site scripting (XSS) vulnerability in PressForward, discovered by DefenseCode
- Authenticated SQL injection vulnerability in I Recommend This, discovered by Paul Dannewitz
- PHP object injection vulnerability in Flickrpress, discovered Peeter Marvet
- Cross-site request forgery (CSRF)/SQL injection vulnerability in RK Responsive Contact Form, discovered by Larry W. Cashdollar
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Gallery transformation, discovered by Larry W. Cashdollar
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Add/Edit/Delete Module, discovered by Larry W. Cashdollar
- PHP object injection vulnerability in WP Smart Security, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Traffic Manager, discovered by us
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of the new vulnerabilities that were fixed this month are relatively minor.
- Authenticated PHP objection injection vulnerability in Business Directory Plugin
- Authenticated information disclosure vulnerability in Cherry Services List, discovered by us
- Authenticated information disclosure vulnerability in Cherry Team Members, discovered by us
- Arbitrary file viewing vulnerability in WP Post Popup, discovered by us
- Cross-site scripting (XSS) vulnerability in WP Post Popup, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Simba Plugins Manager, discovered by ?
- Authenticated SQL injection vulnerability in Easy Modal, discovered by DefenseCode
- Settings change vulnerability in Asgaros Forum, discovered by us
- PHP Object injection vulnerability in Leaky Paywall, discovered by us
- Cross-site request forgery (CSRF)/Settings change vulnerability in Asgaros Forum, discovered by us
- Cross-request forgery (CSRF)/SQL injection in Podlove Podcast Publisher, discovered by DefenseCode
- Authenticated information disclosure vulnerability in Advanced Contact form 7 DB, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Share on Diaspora, discovered by APA Golestan
- Authenticated persistent cross-site scripting (XSS) vulnerability in FG Joomla to WordPress, discovered by us
- Cross-site request forgery(CSRF)/cross-site scripting (XSS) vulnerability in FG Joomla to WordPress, discovered by us
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Participants Database, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Embed Images in Comments, discovered by Gennady Kovshenin
- Cross-site request forgery (CSRF) vulnerability in wpDataTables Lite, discovered by us
- Cross-site request forgery (CSRF)/SQL injection vulnerability in wpDataTables Lite, discovered by us
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Jayj Quicktag, discovered by us
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Event Espresso Lite, discovered by Larry W. Cashdollar
- Authenticated PHP object injection vulnerability in Slimstat Analytics, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Omaid Faizyar
- Cross-site request forgery (CSRF) vulnerability in Loginizer, discovered by Jonas Lejon
- SQL injection vulnerability in Loginizer, discovered by Jonas Lejon
- Reflected cross-site scripting (XSS) vulnerability in BackupGuard, discovered by Chris Liu
- Host header injection vulnerability in AddToAny Share Buttons, discovered by Paul Dannewitz