What Happened With WordPress Plugin Vulnerabilities in February 2018
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during February (and what you have been missing out on if you haven’t signed up yet):
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
The most concerning vulnerabilities this month were several PHP object injection vulnerabilities. That is a type of vulnerability likely to be exploited. Two of them were in plugins with 10,000+ active installs according to wordpress.org. Another one, which may have been being exploited already when we ran across it, was in an even more popular plugin (with 300,000+ active installs), but it was only exploitable by those logged in to WordPress, which limited the threat. Our Plugin Security Checker (which is now accessible through a WordPress plugin of its own) can detect the possibility of those variants of PHP object injection, so anyone can check if plugins they use may be impacted by a similar vulnerability.
- Arbitrary file upload vulnerability in user files
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Flexible Captcha
- Authenticated arbitrary file upload vulnerability in Church Admin
- PHP object injection vulnerability in Welcart e-Commerce
- Authenticated information disclosure vulnerability in WordPress Backup to Dropbox
- Authenticated PHP object injection vulnerability in Autoship Cloud
- PHP object injection vulnerability in Swift Help Desk Support Software Ticketing System
- PHP object injection vulnerability in WP Support Plus Responsive Ticket System
- Cross-site request forgery (CSRF) vulnerability in SG Optimizer
- Authenticated privilege escalation vulnerability in SG Optimizer
- Reflected cross-site scripting (XSS) vulnerability in SG Optimizer
- Authenticated PHP object injection vulnerability in Category Order and Taxonomy Terms Order
- PHP object injection vulnerability in PWAMP
- Authenticated arbitrary file upload vulnerability in Convert Docx2post
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Flexible Captcha, discovered by us
- Authenticated arbitrary file upload vulnerability in Church Admin, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Itinerary, discovered by Ricardo Sanchez
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Newsletters, discovered by us
- Cross-site request forgery (CSRF) vulnerability in Companion Auto Update, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Bookly Lite, discovered by Luigi Gubello
- Authenticated PHP object injection vulnerability in Autoship Cloud, discovered by us
- PHP object injection vulnerability in WP Support Plus Responsive Ticket System, discovered by us
- Cross-site request forgery (CSRF) vulnerability in SG Optimizer, discovered by us
- Authenticated privilege escalation vulnerability in SG Optimizer, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in SG Optimizer, discovered by us
- Authenticated PHP object injection vulnerability in Category Order and Taxonomy Terms Order, discovered by us
- PHP object injection vulnerability in PWAMP, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Reflected cross-site scripting (XSS) vulnerability in Simple Instagram Feed, discovered by Damian Schwyrz
- Arbitrary file upload vulnerability in user files, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in flickrRSS, discovered by AntsKnows
- PHP object injection vulnerability in Welcart e-Commerce, discovered by us
- Authenticated information disclosure vulnerability in WordPress Backup to Dropbox, discovered by us
- PHP object injection vulnerability in Swift Help Desk Support Software Ticketing System, discovered by us
- Authenticated arbitrary file upload vulnerability in Convert Docx2post, discovered by us
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month. The most serious vulnerabilities here being two of the PHP object injection vulnerabilities we discovered during the month, with one of them possibly being exploited already.
- Reflected cross-site scripting (XSS) vulnerability in WP Retina 2x, discovered by Chris Liu
- Privilege escalation vulnerability in Accelerated Mobile Pages, discovered by ?
- Authenticated persistent cross-site scripting (XSS) vulnerability in Accelerated Mobile Pages, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in cformsII, discovered by ?
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Flexible Captcha, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in WP Pipes, discovered by ?
- Authenticated arbitrary file deletion vulnerability in Woocommerce CSV Import, discovered by ?
- Authenticated arbitrary file upload vulnerability in Church Admin, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Instagram Feed, discovered by Magnus Stubman
- Persistent cross-site scripting (XSS) vulnerability in Bookly Lite, discovered by Luigi Gubello
- Authenticated PHP object injection vulnerability in Autoship Cloud, discovered by us
- PHP object injection vulnerability in WP Support Plus Responsive Ticket System, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Spider FAQ, discovered by ?
- Cross-site request forgery (CSRF) vulnerability in SG Optimizer, discovered by us
- Authenticated privilege escalation vulnerability in SG Optimizer, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in SG Optimizer, discovered by us
- Authenticated PHP object injection vulnerability in Category Order and Taxonomy Terms Order, discovered by us
- PHP object injection vulnerability in PWAMP, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in MailChimp for WordPress, discovered by Karim Ouerghemmi of RIPS
- Reflected cross-site scripting (XSS) vulnerability in Custom Permalinks, discovered by Karim Ouerghemmi of RIPS
- Reflected cross-site scripting (XSS) vulnerability in Photo Gallery by WD, discovered by Karim Ouerghemmi of RIPS
- Authenticated SQL injection vulnerability in WP Fastest Cache, discovered by Karim Ouerghemmi of RIPS
- Cross-site request forgery (CSRF)/SQL injection vulnerability in WP Fastest Cache, discovered by Karim Ouerghemmi of RIPS
Plugin Security Scorecard Grade for WP Fastest Cache
Checked on February 28, 2025See issues causing the plugin to get less than A+ grade