If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during June (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

• Google XML Sitemaps

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

This month the most concerning vulnerabilities we found were a couple of information disclosure vulnerabilities, one that exposes contact form submissions saved by a plugin and the other exposes customer information from CRM plugin. Neither of those has been fixed yet.

• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update
• Information disclosure vulnerability in Save Contact Form 7
• Authenticated information disclosure vulnerability in Contact Form 7 Database
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Count per Day
• Authenticated persistent cross-site scripting (XSS) vulnerability in WP Posts Carousel
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Skype Legacy Buttons
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu
• Cross-site request forgery (CSRF) vulnerability in Contact Form 7 – PayPal Add-on
• Cross-site request forgery (CSRF) vulnerability in PayPal Digital Downloads
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Shopping Cart
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Easy PayPal Gift Certificate
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Buy Now Button
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Multi Feed Reader
• Reflected cross-site scripting (XSS) vulnerability in uCare
• Reflected cross-site scripting (XSS) vulnerability in Product Catalog
• Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Newsletters
• Information disclosure vulnerability in UpiCRM
• Cross-site request forgery (CSRF)/settings change vulnerability in Salon booking system
• Reflected cross-site scripting (XSS) vulnerability in Postman SMTP
• Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 340,000+ active installs:

• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update, discovered by us
• Full path disclosure vulnerability in BackUpWordPress, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in Newsletters, discovered by Neven Biruski
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in uCare, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection, discovered by us

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

• Information disclosure vulnerability in Save Contact Form 7, discovered by us
• Authenticated information disclosure vulnerability in Contact Form 7 Database, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Count per Day, discovered by us
• Authenticated persistent cross-site scripting (XSS) vulnerability in WP Posts Carousel, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Skype Legacy Buttons, discovered by us
• Cross-site request forgery (CSRF) vulnerability in Contact Form 7 – PayPal Add-on, discovered by us
• Cross-site request forgery (CSRF) vulnerability in PayPal Digital Downloads, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Shopping Cart, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Easy PayPal Gift Certificate, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Buy Now Button, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in WP Custom Fields Search, discovered by Dimitrios Tsagkarakis
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Multi Feed Reader, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in Product Catalog, discovered by us
• Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Newsletters, discovered by us
• Information disclosure vulnerability in UpiCRM, discovered by us
• Cross-site request forgery (CSRF)/settings change vulnerability in Salon booking system, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in Postman SMTP, discovered by us

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month.

For the most serious vulnerabilities fixed this the plugin didn’t get its version number changed, so those already using the latest version are left vulnerable. We notified the developer over two weeks ago, but they haven’t resolved that yet. If you were using our service you would have been notified about the situation already and could have taken action to protect yourself. As far as we can tell no other data providers even include the vulnerability in their data set (we do much more collective data collection than anyone else).

• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update, discovered by us
• Reflected cross-site scripting (XSS) vulnerability in Memphis Documents Library, discovered by?
• Order duplication vulnerability in WC Duplicate Order, discovered by dungengronovius
• SQL injection vulnerability in Save Contact Form 7, discovered by ?
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu, discovered by us
• Settings change vulnerability in WP Custom Admin Login Page Logo, discovered by po1838660997
• Reflected cross-site scripting vulnerability in Spiffy Calendar, discovered by Dimitrios Tsagkarakis
• Authenticated SQL injection vulnerability in Event List, discovered by Dimitrios Tsagkarakis
• Persistent cross-site scripting (XSS) vulnerability in RSVP, discovered by ?
• File manager access vulnerability in WP File Manager, discovered by ?
• Arbitrary file upload vulnerability in WP File Manager, discovered by ?
• Arbitrary file viewing vulnerability in WP File Manager, discovered by ?
• Authenticated file manager access vulnerability in File Manager, discovered by ?
• Authenticated arbitrary file upload vulnerability in File Manager, discovered by ?
• Authenticated arbitrary file viewing vulnerability in File Manager, discovered by ?
• Reflected cross-site scripting (XSS) vulnerability in WP-Members, discovered by Chris Liu
• Authenticated open redirect vulnerability in WordPress Download Manager, discoverd by Gen Sato of Mitsui Bussan Secure Directions, Inc.
• Reflected cross-site scripting (XSS) vulnerability in WordPress Download Manager, discovered by Gen Sato of Mitsui Bussan Secure Directions, Inc.
• Reflected cross-site scripting (XSS) vulnerability in WordPress Download Manager, discovered by Tom Adams of dxwsecurity
• Reflected cross-site scripting (XSS) vulnerability in All-in-One WP Migration, discovered by Oways
• Reflected cross-site scripting (XSS) vulnerability in Analytics Tracker, discovered by Arjan Snaterse
• Reflected cross-site scripting (XSS) vulnerability in uCare, discovered by us
• Authenticated SQL injection vulnerability in Product Catalog, discovered by Lenon Leite
• Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection, discovered by us
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Custom Sidebars, discovered by qasuar
• Reflected cross-site scripting (XSS) vulnerability in Event Calendar WD, discovered by Chris Liu