What Happened With WordPress Plugin Vulnerabilities in January 2018
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during January (and what you have been missing out on if you haven’t signed up yet):
Plugin Security Reviews
Paid customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for reviews of:
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
The most concerning vulnerabilities were a couple of vulnerabilities of types highly likely to be exploited in a plugin that was removed from the Plugin Directory 5 years ago but is still installed on 500+ websites according to wordpress.org.
- Server side request forgery (SSRF) vulnerability in HTTP Headers
- Arbitrary file upload vulnerability in WordPress Forms
- PHP object injection vulnerability in WordPress Forms
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.
- Authenticated information disclosure vulnerability in Media from FTP, discovered by d4wner
- Server side request forgery (SSRF) vulnerability in HTTP Headers, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Affiliate Ads for Clickbank Products, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Smart Marketing SMS and Newsletters Forms, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in PropertyHive, discovered by Ricardo Sanchez
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Authenticated persistent cross-site scripting (XSS) vulnerability in Power Charts, discovered by J.D. Grimes
- Authenticated persistent cross-site scripting (XSS) vulnerability in WP GitHub Tools, discovered by J.D. Grimes
- Arbitrary file upload vulnerability in WordPress Forms, discovered by us
- PHP object injection vulnerability in WordPress Forms, discovered by us
- SQL injection vulnerability in User Control, discovered by JustThomas
- Reflected cross-site scripting (XSS) vulnerability in MQ ReLinks, discovered by Ricardo Sanchez
- Open redirect vulnerability in MQ ReLinks, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Soundy Background Music, discovered by Neven Biruski
- Reflected cross-site scripting (XSS) vulnerability in Soundy Audio Playlist, discovered by Neven Biruski
- Authenticated persistent cross-site scripting (XSS) vulnerability in Add Link to Facebook, discovered by d4wner
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Read and Understood, discovered by d4wner
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month. The most serious vulnerability here being an arbitrary file upload vulnerability in LearnDash LMS that was discovered after it was already being exploited.
- Persistent cross-site scripting (XSS) vulnerability in Smart Google Code Inserter, discovered by Benjamin Lim
- SQL injection vulnerability in Smart Google Code Inserter, discovered by Benjamin Lim
- Arbitrary file upload vulnerability in LearnDash LMS, discovered by NinTechNet
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Social Media Widget by Acurax, discovered by Panagiotis Vagenas
- Cross-site request forgery (CSRF)/plugin installation vulnerability in Download Manager (WordPress Download Manager), discovered by Panagiotis Vagenas
- Authenticated information disclosure vulnerability in Media from FTP, discovered by d4wner
- Authenticated persistent cross-site scripting (XSS) vulnerability in Simple Download Monitor, discovered by d4wner
- Server side request forgery (SSRF) vulnerability in HTTP Headers, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Splashing Images, discovered by Nicolas Buzy-Debat
- Authenticated PHP object injection vulnerability in Splashing Images, discovered by Nicolas Buzy-Debat
- Cross-site request forgery(CSRF)/PHP object injection vulnerability in Splashing Images, discovered by Nicolas Buzy-Debat
- Information disclosure vulnerability in Email Subscribers & Newsletters, discovered by ThreatPress
- Authenticated SQL injection vulnerability in Smooth Slider, discovered by Neven Biruski
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Smooth Slider, discovered by Neven Biruski
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in CMS Tree Page View, discovered by Panagiotis Vagenas
- Authenticated post draft creation vulnerability in CMS Tree Page View, discovered by Panagiotis Vagenas
- Cross-site request forgery(CSRF)/page moving vulnerability in CMS Tree Page View, discovered by Panagiotis Vagenas
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Admin Menu Tree Page View, discovered by Panagiotis Vagenas
- Authenticated post draft creation vulnerability in Admin Menu Tree Page View, discovered by Panagiotis Vagenas
- Authenticated page moving vulnerability in Admin Menu Tree Page View, discovered by Panagiotis Vagenas
- Cross-site request forgery(CSRF)/page moving vulnerability in Admin Menu Tree Page View, discovered by Panagiotis Vagenas
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in ImageInject, discovered by d4wner
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in SrbTransLatin, discovered by d4wner
- Authenticated persistent cross-site scripting (XSS) vulnerability in Dark Mode, discovered by d4wner
- Reflected cross-site scripting (XSS) vulnerability in Pinterest Feed, discovered by d4wner
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Coming Soon, discovered by d4wner
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Booking Calendar, discovered by d4wner
- Reflected cross-site scripting (XSS) vulnerability in GD Rating System, discovered by d4wner
- Cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in GD Rating System, discovered by d4wner
- Server side request forgery (SSRF) vulnerability in Google Forms, discovered by Jouko Pynnönen
- Cross-site scripting (XSS) vulnerability in Google Forms, discovered by Jouko Pynnönen
- Authenticated SQL injection vulnerability in YITH WooCommerce Wishlist, discovered by Sucuri
- Reflected cross-site scripting (XSS) vulnerability in PropertyHive, discovered by Ricardo Sanchez