Plugin Vulnerabilities Updates – Week of 8/5/2016
Here is what we have been doing to keep your website secure from WordPress plugin vulnerabilities this week:
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Week
- Arbitrary file upload vulnerability in Adblock Blocker
- Arbitrary file upload vulnerability in Estatik
- Authenticated information disclosure vulnerability in Simple History
Plugin Vulnerabilities We Helped Get Fixed This Week
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Booking Calendar, discovered by Edwin Molenaar
- Authenticated information disclosure vulnerability in Simple History, discovered by us
- Remote code execution (RCE) vulnerability in wSecure Lite, discovered by us
Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins
- Arbitrary file upload vulnerability in Adblock Blocker, discovered by us
- Arbitrary file upload vulnerability in Estatik, discovered by us
Additional Vulnerabilities Added This Week
- Authenticated SQL injection vulnerability in Booking Calendar, discovered by Edwin Molenaar
- Reflected cross-site scripting (XSS) vulnerability in Contact Bank, discovered by Yorick Koster
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in WangGuard, discovered by Yorick Koster
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Uji Countdown, discovered by Yorick Koster
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Booking Calendar, discovered by Edwin Molenaar
- Cross-site request forgery (CSRF) vulneraiblity in ALO EasyMail Newsletter, discovered by Yorick Koster
- Persistent cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Dennis Kerdijk
- Reflected cross-site scripting (XSS) vulnerability in WordPress Landing Pages, discovered by Burak Kelebek
- Authenticated information disclosure vulnerability in Simple History, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Count per Day, discovered by Yorick Koster
- Reflected cross-site scripting (XSS) vulnerability in FormBuilder, discovered by Peter Ganzevles
- Reflected cross-site scripting (XSS) vulnerability in Activity Log, discovered by Edwin Molenaar
- Reflected cross-site scripting (XSS) vulnerability in Activity Log, discovered by Edwin Molenaar,
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Events Made Easy, discovered by Job Diesveld
- Reflected cross-site scripting (XSS) vulnerability in Store Locator Plus, discovered by Yorick Koster
- Persistent cross-site scripting (XSS) vulnerability in Count per Day, discovered by Julien Rentrop