If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during March (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for reviews of (one more review was completed and will be released after the developer has a chance to fix an identified issue):

• Cloudflare
• Easy Digital Downloads

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

• Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Really Simple Gallery
• Improper access control vulnerability in Invite Anyone, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Invite Anyone
• Authenticated document modification vulnerability in BP Group Documents, discovered by us
• Information disclosure vulnerability in Easy Digital Downloads

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed.

• Improper access control vulnerability in Invite Anyone, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Invite Anyone, discovered by us
• Authenticated document modification vulnerability in BP Group Documents, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in Tribulant Slideshow Gallery, discovered by Spyros Gasteratos
• Authenticated arbitrary file upload vulnerability in WordPress Download Manager, discovered by us

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.

• Arbitrary file upload vulnerability in Zen Mobile App Native, discovered by Larry W. Cashdollar
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in AnyVar, discovered by Larry W. Cashdollar
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Pegleg Badges, discovered by Larry W. Cashdollar
• Reflected cross-site scripting (XSS) vulnerability in Alpine PhotoTile for Instagram, discovered by Antonis Manaras
• Reflected cross-site scripting (XSS) vulnerability in Google Analytics Dashboard, discovered by Yorick Koster
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in WP-SpamFree Anti-Spam, discovered by Radjnies Bhansingh
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in WP-Filebase, discovered by Yorick Koste
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Customize WordPress Login Page, discovered by Burak Kelebek
• Arbitrary file upload vulnerability in Wp2Android – webapp builder, discovered by Larry W. Cashdollar
• Arbitrary file upload vulnerability in Webapp builder, discovered by Larry W. Cashdollar
• Arbitrary file upload vulnerability in Mobile app builder by Wappress, discovered by Larry W. Cashdollar
• Arbitrary file upload vulnerability in How to Create an App for Android iPhone Easytouch, discovered by Larry W. Cashdollar
• Cross-site request forgery (CSRF)/remote  code execution (RCE) vulnerability in Global Content Blocks, discovered by Yorick Koster
• PHP object injection vulnerability in  Simple Ads Manager, discovered by Yorick Koster
• Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in File Manager, discovered by David Vaartjes
• Persistent cross-site scripting (XSS) vulnerability in Dtracker, discovered by Larry W. Cashdollar
• SQL injection vulnerability in Dtracker, discovered by Larry W. Cashdollar
• Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Really Simple Gallery, discovered by us
• Arbitrary file viewing vulnerability in Membership Simplified, discovered by Larry W. Cashdollar
• SQL injection vulnerability in Membership Simplified, discovered by Larry W. Cashdollar
• Persistent cross-site scripting (XSS) vulnerability in Contact Form 7 Database, discovered by stefan sk
• Possible remote code execution (RCE) vulnerability in Lightbox Wp, discovered by ?
• Information disclosure vulnerability in Easy Digital Downloads, discovered by us

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that were disclosed this month that we added to our data this month:

• Cross-site request forgery (CSRF)/cross-site scripting vulnerability in Contact Form Manager, discovered by Edwin Molenaar
• Remote database access vulnerability in Adminer, discovered by David Vaartje
• Reflected cross-site scripting (XSS) vulnerability in Trust Form, discovered by Yorick Koster
• Persistent cross-site scripting (XSS) vulnerability in NewStatPress, discovered by Han Sahin
• Persistent cross-site scripting (XSS) vulnerability in Contact Form by BestWebSoft, discovered by Julien Rentrop
• Cross-site request forgery (CSRF) vulnerability in Gwolle Guestbook, discovered by Radjnies Bhansingh
• Persistent cross-site scripting (XSS) vulnerability in Gwolle Guestbook, discovered by Radjnies Bhansingh
• Authenticated arbitrary file upload vulnerability in Profile Builder, discovered by ?
• Authenticated document modification vulnerability in BuddyPress Docs, discovered by Ewoud Vlasselaer, Eric Schayes, and Nabeel Ahmed
• Authenticated arbitrary email sending vulnerability in Invite Anyone, discovered by Ewoud Vlasselaer, Eric Schayes, and Nabeel Ahmed
• Improper access control vulnerability in Invite Anyone, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Invite Anyone, discovered by us
• Cross-site request forgery (CSRF)/plugin deletion vulnerability in WHIZZ, discovered by ?
• Reflected cross-site scripting (XSS) vulnerability in WHIZZ, discovered by ?
• Cross-Site Request Forgery (CSRF)/user deletion vulnerability in WHIZZ, discovered by ?
• Reflected cross-site scripting (XSS) vulnerability in CopySafe PDF Protection, discovered by ?
• Authenticated document modification vulnerability in BP Group Documents, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in WordPress Download Manager, discovered by Burak Kelebek