What Happened With WordPress Plugin Vulnerabilities in November 2017
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet):
Plugin Security Reviews
Paid customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
The most concerning vulnerabilities this month were a pair of arbitrary file upload vulnerability, one in the first version of a plugin, which points to the need for changes to the security reviews that are supposed to be done before plugins can enter the Plugin Directory, and other in a plugin that has been removed from the Plugin Directory for an undisclosed reason.
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Simple Events Calendar
- Arbitrary file upload vulnerability in Wallable
- Authenticated arbitrary file upload vulnerability in Vmax Project Manager
- Authenticated local file inclusion (LFI) vulnerability in Vmax Project Manager
- Local file inclusion (LFI) vulnerability in MailChimp for WooCommerce
- Reflected cross-site scripting (XSS) vulnerability in ProfileGrid
- Reflected cross-site scripting (XSS) vulnerability in WP Customer Area
- Arbitrary file upload vulnerability in PHP Event Calendar
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 1,054,600+ active installs:
- Authenticated SQL injection vulnerability in JTRT Responsive Tables, discovered by Lenon Leite
- Local file inclusion (LFI) vulnerability in MailChimp for WooCommerce, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Duplicator, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in ProfileGrid, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in WP Customer Area, discovered by us
- Cross-site request forgery (CSRF) vulnerability in WC Duplicate Order, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Appointments, discovered by Ricardo Sanchez
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Reflected cross-site scripting (XSS) vulnerability in Pretty Links (Lite), discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Pretty Links (Lite), discovered by WPCampus
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Active Directory Integration, discovered by Lenon Leite
- Authenticated SQL injection vulnerability in Events, discovered by Lenon Leite
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Events, discovered by Lenon Leite
- Reflected cross-site scripting (XSS) vulnerability in Secure HTML5 Video Player, discovered by Ricardo Sanchez
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Simple Events Calendar, discovered by us
- Arbitrary file upload vulnerability in Wallable, discovered by us
- Authenticated arbitrary file upload vulnerability in Vmax Project Manager, discovered by us
- Authenticated local file inclusion (LFI) vulnerability in Vmax Project Manager, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Breezing Forms, discovered by Ricardo Sanchez
- Authenticated SQL injection vulnerability in InLinks, discovered by Dimopoulos Elias
- Cross-site scripting (XSS) vulnerability in Advanced Post Type Ratings, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in DFD Reddcoin Tips, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in AMP Toolbox, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Affiliate Ads for Clickbank Products, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Boozang, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Cartogiraffe Map, discovered by Ricardo Sanchez
- Cross-site request forgery (CSRF) vulnerability in WP Fastest Cache, discovered by ?
- Arbitrary file upload vulnerability in PHP Event Calendar, discovered by us
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month. The most concerning of the bunch was an authenticated remote code execution (RCE) vulnerability in Shortcodes Ultimate as there exploitation attempts against it before it was fixed (some of them also used the shortcode execution vulnerability in Formidable Forms, though that may have only started being exploited after it was fixed).
- Cross-site request forgery (CSRF)/SQL vulnerability in Link Library, discovered by Lenon Leite
- Authenticated SQL injection vulnerability in JTRT Responsive Tables, discovered by Lenon Leite
- PHP object injection vulnerability in Product Catalog, discovered by tomplixsee
- Authenticated remote code execution (RCE) vulnerability in Shortcodes Ultimate, discovered by Robert Mathews
- Reflected cross-site scripting (XSS) vulnerability in Ultimate Instagram Feed, discovered by Dimopoulos Elias
- Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) vulnerability in Social Share Button, discovered by ?
- Information disclosure vulnerability in ProfileGrid, discovered by ?
- Local file inclusion (LFI) vulnerability in MailChimp for WooCommerce, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Duplicator, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Yoast SEO, discovered by Dimopoulos Elias
- Reflected cross-site scripting (XSS) vulnerability in ProfileGrid, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in WP Customer Area, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in WP Mail Logging, discovered by Yehuda
- Persistent cross-site scripting (XSS) vulnerability in Email Log, discovered by Yehuda
- Reflected cross-site scripting (XSS) vulnerability in Emag Marketplace Connector, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Appointments, discovered by Ricardo Sanchez
- Shortcode execution vulnerability in Formidable Forms, discovered by Klikki Oy
- Reflected cross-site scripting (XSS) vulnerability in Formidable Forms, discovered by Klikki Oy
Plugin Security Scorecard Grade for Formidable Forms
Checked on October 28, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for WP Fastest Cache
Checked on February 28, 2025See issues causing the plugin to get less than A+ grade