What We Were Up To in October, 2016
Here is what we had been doing to keep our customer’s websites secure from WordPress plugin vulnerabilities during October (and what you have been missing out on if you haven’t signed up yet):
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
- SQL injection vulnerability in bbPress Like Button
- SQL injection vulnerability in Party Hall Booking Manager
- Persistent cross-site scripting (XSS) vulnerability in WordPress Appointment Schedule Booking System
- Persistent cross-site scripting (XSS) vulnerability in EventCommerce WP Event Calendar
- Persistent cross-site scripting (XSS) vulnerability in WP Quick Booking Manager
- Arbitrary file upload vulnerability in WP Marketplace
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Site Analytics Plugin
- Local file inclusion (LFI) vulnerability in InPost Gallery
- Authenticated persistent cross-site scripting (XSS) vulnerability in InPost Gallery
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Simply Static
- Cross-site request forgery (CSRF) vulnerability in GoDaddy Email Marketing
- Local file inclusion (LFI) vulnerability in SAM Pro (Free Edition)
- Local file inclusion (LFI) vulnerability in Simple Ads Manager
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed.
- Information disclosure vulnerability in WP Ultimate Exporter, discovered by us
- SQL injection vulnerability in WP Ultimate Exporter, discovered by Henri Salo
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in User Activity Log, discovered by us
- Cross-site request forgery (CSRF)/user import vulnerability in Members Import, discovered by us
- Arbitrary file upload vulnerability in N-Media Post Front-end Form, discovered by us
- Local file inclusion (LFI) vulnerability in InPost Gallery, discovered by us
- Authenticated persistent cross-site scripting (XSS) vulnerability in InPost Gallery, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Simply Static, discovered by us
- Cross-site request forgery (CSRF) vulnerability in GoDaddy Email Marketing, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.
- SQL injection vulnerability in bbPress Like Button, discovered by us
- SQL injection vulnerability in Party Hall Booking Manager, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in WordPress Appointment Schedule Booking System, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in EventCommerce WP Event Calendar, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in WP Quick Booking Manager, discovered by us
- Arbitrary file upload vulnerability in WP Marketplace, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Site Analytics Plugin, discovered by us
- Remote code execution (RCE) vulnerability in Return to top
- Remote code execution (RCE) vulnerability in Page Google Map
- Remote code execution (RCE) vulnerability in Gallery Slider
- Remote code execution (RCE) vulnerability in G Translate
- Remote code execution (RCE) vulnerability in Share Buttons WP
- Remote code execution (RCE) vulnerability in MailChimp Integration
- Remote code execution (RCE) vulnerability in Smart Videos
- Remote code execution (RCE) vulnerability in SEO Rotator For Images
- Remote code execution (RCE) vulnerability in Ads widget
- Remote code execution (RCE) vulnerability in SEO Keyword Page
- Remote code execution (RCE) vulnerability in Handy Lightbox
- Remote code execution (RCE) vulnerability in WP Popup
- Remote code execution (RCE) vulnerability in Google Analytics Analyze
- Remote code execution (RCE) vulnerability in Cookie Eu
- Local file inclusion (LFI) vulnerability in SAM Pro (Free Edition), discovered by us
- Local file inclusion (LFI) vulnerability in Simple Ads Manager, discovered by us
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that were disclosed this month that we added to our data this month:
- Arbitrary file viewing vulnerability in CP Image Store with Slideshow, discovered by Joaquin Ramirez Martinez
- Reflected cross-site scripting (XSS) vulnerability in WP-Members, discovered by JDD
- Persistent cross-site scripting (XSS) vulnerability in iThemes Security, discovered by Slavco Mihajloski
- Arbitrary file viewing vulnerability in Simply Static, discovered by Bas
- Reflected cross-site scripting (XSS) vulnerability in WP Editor, discoverer unmentioned
- Local file inclusion (LFI) vulnerability in InPost Gallery, discovered by us
- Authenticated persistent cross-site scripting (XSS) vulnerability in InPost Gallery, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Gravity Forms, discovered by c0mmand3rOpSec
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Simply Static, discovered by us
- Cross-site request forgery (CSRF) vulnerability in GoDaddy Email Marketing, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Appointment Calendar, discovered by Naeem Shah