Plugin Vulnerabilities Updates – Week of 7/29/2016
Here is what we have been doing to keep your website secure from WordPress plugin vulnerabilities this week:
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Week
- Arbitrary file upload vulnerability in ecSTATic
- Cross-site request forgery (CSRF) vulnerability in User Activity Log
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in User Activity Log
Plugin Vulnerabilities We Helped Get Fixed This Week
- Reflected cross-site (XSS) vulnerability in Realia, discovered by WICS
Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins
- Arbitrary file upload vulnerability in ecSTATic, discovered by us
- Authenticated cross-site scripting (XSS) vulnerability in Page Builder by WooRockets.com, discovered by danm2k
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Woo Custom Checkout Field, discovered by Rob Carr
- Cross-site request forgery (CSRF) vulnerability in User Activity Log, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in User Activity Log, discovered by us
Additional Vulnerabilities Added This Week
- Reflected cross-site scripting (XSS) vulnerability in Code Snippets, discovered by Burak Kelebek
- Reflected cross-site scripting (XSS) vulnerability in Easy Forms for MailChimp, discovered by Wordfence
- SQL injection vulnerability in Product Catalog, discovered by Joaquin Ramirez Martinez