Here is what we had been doing to keep our customer’s websites secure from WordPress plugin vulnerabilities during January (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we did reviews of:

• SSL Insecure Content Fixer
• WangGuard
• Crayon Syntax Highlighter

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

• Information disclosure vulnerability in Pike Firewall
• Reflected cross-site scripting (XSS) vulnerability in WangGuard
• Open redirect vulnreability in moreAds SE
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in ABASE

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed.

• Reflected cross-site scripting (XSS) vulnerability in Super Socializer
• Reflected cross-site scripting (XSS) vulnerability in WangGuard
• Authenticated persistent cross-site scripting (XSS) vulnerability in Chained Quiz, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in moreAds SE, discovered by ?
• Open redirect vulnreability in moreAds SE, discovered by us
• Authenticated SQL injection vulnerability in WP Support Plus Responsive Ticket System, discovered by Lenon Leite

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.

• Information disclosure vulnerability in Pike Firewall, discovered by us
• Persistent cross-site scripting (XSS) vulnerability in Contact Form DB, discovered by pkotsiop
• Arbitrary file upload vulnerability in DOP Slider, discovered by ?
• Arbitrary file upload vulnerability in Developer Tools, discovered by ?
• Arbitrary file upload vulnerability in ChikunCounter, discovered by ?
• Remote code execution (RCE) vulnerability in Google Maps by Daniel Martyn, discovered by ?
• Authenticated SQL injection vulnerability in WP Email Users, discovered by Lenon Leite
• Arbitrary file upload vulnerability in social, discovered by ?
• Arbitrary file upload vulnerability in PHP Analytics, discovered by ?
• Arbitrary file upload vulnerability in Seo Spy, discovered by ?
• Possible remote code execution (RCE) vulnerability in Easy Social Sharing, discovered by ?
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in ABASE, discovered by us

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that were disclosed this month that we added to our data this month:

• Authenticated information disclosure vulnerability in XCloner – Backup and Restore, discovered by Louis Dion-Marcil
• PHP object injection vulnerability in Post Grid
• Authentification bypass vulnerability in WP Support Plus Responsive Ticket System, discovered by Kacper Szurek
• Persistent cross-site scripting (XSS) vulnerability in Chained Quiz, discovered by ?
• Reflected cross-site scripting (XSS) vulnerability in Stop User Enumeration, discovered by Zeeshan
• Reflected cross-site scripting (XSS) vulnerability in Super Socializer, discovered by ?
• Reflected cross-site scripting (XSS) vulnerability in WangGuard, discovered by us
• Authenticated persistent cross-site scripting (XSS) vulnerability in Chained Quiz, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in Event Notifier, discovered by ?
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Arigato Autoresponder and Newsletter, discovered by ?
• Information disclosure vulnerability in W3 Total Cache, discovered by ?
• Reflected cross-site scripting (XSS) vulnerability in moreAds SE, discovered by ?
• Open redirect vulnreability in moreAds SE, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Hupso Share Buttons for Twitter, Facebook & Google+, discovered by ?
• PHP object injection vulnerability in Google Forms, discovered by Yorick Koster
• PHP object injection vulnerability in CMS Commander Client, discovered by Yorick Koster
• PHP object injection vulnerability in InfiniteWP Client, discovered by Yorick Koster
• Cross-site request forgery (CSRF) vulnerability in FormBuilder, discovered by Burak Kelebek
• Authenticated SQL injection vulnerability in FormBuilder, discovered by Burak Kelebek