What Happened With WordPress Plugin Vulnerabilities in December 2017
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during December (and what you have been missing out on if you haven’t signed up yet):
Plugin Security Reviews
Paid customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
The most concerning vulnerabilities were several we found in plugins that look like they might be being targeted by a hacker. For two of the plugins, the issues we found still exist (one of them still has a prior vulnerability we notified the developer about months ago).
- Reflected cross-site scripting (XSS) vulnerability in Super Simple Custom CSS
- Information disclosure vulnerability in Captcha
- SQL injection vulnerability in SendinBlue Subscribe Form And WP SMTP
- Open redirect vulnerability in SagePay Server Gateway for WooCommerce
- Persistent cross-site scripting (XSS) vulnerability in Rich Reviews
- Settings change vulnerability in Rich Reviews
- Information disclosure vulnerability in Table Maker
- Privilege escalation vulnerability in Table Maker
- Persistent cross-site scripting (XSS) vulnerability in Table Maker
- Restricted file upload vulnerability in Sharexy,
- SQL injection vulnerability in Table Maker
- PHP Object Injection Through SQL Injection Vulnerability in Table Maker
- Authenticated short link creation vulnerability in Pretty Links
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.
- Reflected cross-site scripting (XSS) vulnerability in RegistrationMagic, discovered by Rob Carr
- Information disclosure vulnerability in Table Maker, discovered by us
- Privilege escalation vulnerability in Table Maker, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Table Maker, discovered by us
- SQL injection vulnerability in Table Maker, discovered by us
- PHP Object Injection Through SQL Injection Vulnerability in Table Maker, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in SagePay Server Gateway for WooCommerce, discovered by Ricardo Sanchez
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Reflected cross-site scripting (XSS) vulnerability in Special Text Boxes, discovered by ?
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Special Text Boxes, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Super Simple Custom CSS, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Smart Marketing SMS and Newsletters Forms, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Forms: 3rd-Party Inject Results, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Crowd Ideas, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in WordApp, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Pinterest Badge, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in WooPay – Inicis, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in 七牛云图床, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Wunderbar Basic, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Placemarks, discovered by Ricardo Sanchez
- SQL injection vulnerability in SendinBlue Subscribe Form And WP SMTP, discovered by us
- Open redirect vulnerability in SagePay Server Gateway for WooCommerce, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Rich Reviews, discovered by us
- Settings change vulnerability in Rich Reviews, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Itinerary, discovered by Ricardo Sanchez
- Restricted file upload vulnerability in Sharexy, discovered by us
- Authenticated short link creation vulnerability in Pretty Links, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Yakadanda Google+ Hangout Events, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in WordPress Concours (WP Concours), discovered by Nicolas Buzy-Debat
- Reflected cross-site scripting (XSS) vulnerability in Custom Maps (Custom Maps), discovered by Nicolas Buzy-Debat
- Reflected cross-site scripting (XSS) vulnerability in Csv Import-Export (ESB CSV Import – Export), discovered by Nicolas Buzy-Debat
- Spam injection vulnerability in Duplicate Page And Post, discovered by ?
- Spam injection vulnerability in No Follow All External Links, discovered by ?
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of them were rather minor, but a few of them either involve intentionally malicious code or might have been being exploited by hackers.
- Reflected cross-site scripting (XSS) vulnerability in User Role Editor, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in WP Mailster, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Z-URL Preview, discovered by Ricardo Sanchez
- Information disclosure vulnerability in Captcha, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in BuddyPress Members Only, discovered by developer
- Reflected cross-site scripting (XSS) vulnerability in RegistrationMagic, discovered by Rob Carr
- Information disclosure vulnerability in Table Maker, discovered by us
- Privilege escalation vulnerability in Table Maker, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Table Maker, discovered by us
- Arbitrary email sending vulnerability in Sharexy, discovered by ?
- Restricted file upload vulnerability in Gallery by BestWebSoft, discovered by Sammy FORGIT
- SQL injection vulnerability in Table Maker, discovered by us
- PHP Object Injection Through SQL Injection Vulnerability in Table Maker, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in SagePay Server Gateway for WooCommerce, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Share This Image, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Clockwork SMS Notfications, by Elias Dimopoulos
- Reflected cross-site scripting (XSS) vulnerability in Two-Factor Authentication – Clockwork SMS, by Elias Dimopoulos
- Reflected cross-site scripting (XSS) vulnerability in Booking Calendar – Clockwork SMS, by Elias Dimopoulos
- Reflected cross-site scripting (XSS) vulnerability in Contact Form 7 – Clockwork SMS, by Elias Dimopoulos
- Reflected cross-site scripting (XSS) vulnerability in Fast Secure Contact Form – Clockwork SMS, by Elias Dimopoulos
- Reflected cross-site scripting (XSS) vulnerability in Formidable – Clockwork SMS, by Elias Dimopoulos
- Reflected cross-site scripting (XSS) vulnerability in Gravity Forms – Clockwork SMS, by Elias Dimopoulos
- Reflected cross-site scripting (XSS) vulnerability in WP e-Commerce – Clockwork SMS, by Elias Dimopoulos
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Top 10, discovered by Neven Biruski
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Clean Up Optimizer, discovered by Neven Biruski
- Authenticated SQL injection vulnerability in Booking Calendar, discovered by Neven Biruski
- Spam injection vulnerability in WP No External Links, discovered by ?
Plugin Security Scorecard Grade for Booking Calendar
Checked on March 7, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Pretty Links
Checked on August 24, 2024See issues causing the plugin to get less than A+ grade