What Happened With WordPress Plugin Vulnerabilities in May 2018
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during May (and what you have been missing out on if you haven’t signed up yet):
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
The most concerning vulnerability is an arbitrary file upload vulnerability, which is type that is normally highly likely to be exploited, though this one is only exploitable if an admin page has been visited at some point prior to the exploitation attempt.
- Authenticated information disclosure vulnerability in Page and Post Clone
- Information disclosure vulnerability in Google Drive for WordPress (wp-google-drive)
- Arbitrary file upload vulnerability in KingComposer
- Reflected cross-site scripting (XSS) vulnerability in CF7 Invisible reCAPTCHA
- Reflected cross-site scripting (XSS) vulnerability in WP Booking
- Reflected cross-site scripting (XSS) vulnerability in WP Google Map Plugin
- PHP object injection vulnerability in WordPress Survey & Poll
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.
This month we help to get plugins with 155,300 active installations, according to wordpress.org, fixed.
- Persistent cross-site scripting (XSS) vulnerability in Caldera Forms, discovered by Federico Scalco
- Reflected cross-site scripting (XSS) vulnerability in CF7 Invisible reCAPTCHA, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in WP Booking, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Luigi Gubello
- PHP object injection vulnerability in WordPress Survey & Poll, discovered by us
Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Authenticated persistent cross-site scripting (XSS) vulnerability in WordPress File Upload, discovered by ManhNho
- Authenticated information disclosure vulnerability in Page and Post Clone, discovered by us
- Information disclosure vulnerability in Google Drive for WordPress (wp-google-drive), discovered by us
- Arbitrary File Upload Vulnerability in KingComposer, discovered by us
- CSV injection vulnerability in WordPress Comments Import & Export, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in WP Google Map Plugin, discovered by us
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month.
- CSV Injection vulnerability in Form Maker (Form Maker by WD), discovered by Jetty Sairam
- Reflected cross-site scripting (XSS) vulnerability in PixelYourSite, discovered by Chris Liu
- Reflected cross-site scripting (XSS) vulnerability in WP Google Map Plugin, discovered by Chris Liu
- Cross-site request forgery (CSRF) vulnerability in WP User Groups, discovered by Tom Adams of dxw
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Metronet Tag Manager, discovered by Tom Adams of dxw
- Persistent cross-site scripting (XSS) vulnerability in WP ULike, discovered by Tom Adams of dxw
- Authenticated persistent cross-site scripting (XSS) vulnerability in WP ULike, discovered by Tom Adams of dxw
- Authenticated database row deletion vulnerability in WP ULike, discovered by Tom Adams of dxw
- Cross-site request forgery(CSRF)/database row deletion vulnerability in WP ULike, discovered by Tom Adams of dxw
- Reflected cross-site scripting (XSS) vulnerability in CF7 Invisible reCAPTCHA, discovered by us
- Cross-site request forgery (CSRF) vulnerability in Ultimate Member, discovered by Riccardo ten Cate
- Reflected cross-site scripting (XSS) vulnerability in WP Booking, discovered by us
- Authenticated remote code execution (RCE) vulnerability in ProfileGrid, discovered by Karim El Ouerghemmi of RIPS Technologies
- Reflected cross-site scripting (XSS) vulnerability in Custom css-js-php, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Open Graph for Facebook, Google+ and Twitter Card Tags, discovered by Chris Liu
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Ultimate Member, discovered by Riccardo ten Cate
- PHP object injection vulnerability in WordPress Survey & Poll, discovered by us
- SQL injection vulnerability in wpForo Forum, discovered by cate4cafe
- Persistent cross-site scripting (XSS) vulnerability in Loginizer, discovered by Leigh of Dewhurst Security
- Authenticated persistent cross-site scripting (XSS) vulnerability in GD bbPress Attachments, discovered by Luigi Gubello