What We Were Up To in February, 2017

Here is what we had been doing to keep our customer’s websites secure from WordPress plugin vulnerabilities during February (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details of one review (another one has been completed and will be released shortly, hopefully after the developer releases a version that fixes the most serious issue):

Democracy Poll

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed.

Cross-site request forgery (CSRF) vulnerability in Watu, discovered by ?
Authenticated persistent cross-site scripting (XSS) in Watu, discovered by ?
Persistent cross-site scripting (XSS) vulnerability in XO Security, discovered by us
Authenticated local file inclusion (LFI) vulnerability in Posts in Page, discovered by us
Authenticated persistent cross-site scripting (XSS) vulnerability in Corner Ad, discovered Atik Rahman
Reflected cross-site scripting (XSS) vulnerability in Time Sheets, discovered by us
Open redirect vulnerability in GTranslate, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Democracy Poll, discovered by us

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.

Information disclosure vulnerability in WP Easy full backup, discovered by Larry W. Cashdollar
Arbitrary file upload vulnerability in WP Simple Cart, discovered by ?
Arbitrary file upload vulnerability in SpamTask, discovered by ?
Reflected cross-site scripting (XSS) vulnerability in Raygun4WP, discovered by yuyang998
Arbitrary file upload vulnerability in Web Tripwire, discovered by?
Remote code execution vulnerability in Stats Wp, discovered by ?
Reflected cross-site scripting (XSS) vulnerability in Delete Comments By Status, discovered by Haojun Hou
Reflected cross-site scripting (XSS) vulnerability in Double Opt-In for Download, discovered by Haojun Hou
Reflected cross-site scripting (XSS) vulnerability in ActiveHelper LiveHelp Live Chat, discovered by Haojun Hou
Cross-site request forgery (CSRF) vulnerability in ByREV WP-PICShield – HOTLINK Defence, discovered by Zachary Julian
Reflected cross-site scripting (XSS) vulnerability in ULTIMATE VIDEO GALLERY, discovered by yuyang998
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Simple Newsletter Plugin, discovered by yuyang998
Reflected cross-site scripting (XSS) vulnerability in Simply Symphony Adaptive Editor, discovered by Haojun Hou
Reflected cross-site scripting (XSS) vulnerability in Fungif The Awesome GIFs, discovered by Haojun Hou
Reflected cross-site scripting (XSS) vulnerability in GNUCommerce, discovered by Haojun Hou
Reflected cross-site scripting (XSS) vulnerability in Easy2Map Photos, discovered by Haojun Hou
Reflected Cross-Site Scripting (XSS) Vulnerability in WP Ad Guru Lite, discovered by yuyang998
Reflected Cross-Site Scripting (XSS) Vulnerability in Esponce QR Code Generator, discovered by yuyang998
Reflected cross-site scripting (XSS) vulnerability in Rotating Testimonial, discovered by yuyang998
Reflected cross-site scripting (XSS) vulnerability in Post Logo, discovered by yuyang998
Reflected cross-site scripting (XSS) vulnerability in Really Simple Gallery, discovered by yuyang998
Reflected cross-site scripting (XSS) vulnerability in WoWPth, discovered by yuyang998
Reflected cross-site scripting (XSS) vulnerability in AuMenu, discovered by yuyang998

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that were disclosed this month that we added to our data this month:

Reflected cross-site scripting (XSS) vulnerability in Watu, discovered by ?
Cross-site request forgery (CSRF) vulnerability in Watu, discovered by ?
Authenticated persistent cross-site scripting (XSS) in Watu, discovered by ?
Persistent cross-site scripting (XSS) vulnerability in XO Security, discovered by us
Authenticated persistent cross-site scripting vulnerability in BP Better Messages, discovered by ?
Authenticated local file inclusion (LFI) vulnerability in Posts in Page, discovered by us
Authenticated persistent cross-site scripting (XSS) vulnerability in Corner Ad, discovered Atik Rahman
Reflected cross-site scripting (XSS) vulnerability in Time Sheets, discovered by us
Reflected cross-site scripting (XSS) vulnerability in WordPress.com Custom CSS, discovered by yuyang998
Open redirect vulnerability in GTranslate, discovered by us
Reflected cross-site scripting (XSS) vulnerability in GD Rating System, discovered by Haojun Hou
Arbitrary file viewing vulnerability in WP Hide & Security Enhancer, discovered by ?
SQL injection vulnerability in NextGEN Gallery, discovered by Sucuri
Reflected cross-site scripting (XSS) vulnerability in Dialog Contact Form, discovered by Haojun Hou
Reflected cross-site scripting (XSS) vulnerability in Zibbra, discovered by yuyang998
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Democracy Poll, discovered by us

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.