What Happened With WordPress Plugin Vulnerabilities in April 2018
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during April (and what you have been missing out on if you haven’t signed up yet):
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
- Cross-site request forgery (CSRF) vulnerability in Custom Permalinks
- PHP object injection vulnerability in Disc Golf Manager
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in WP Docs
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in WP Docs, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.
Notably this month a couple of plugins with a combined 150,000+ active installations haven’t been fixed but other data sources all incorrectly list them as being fixed.
- Cross-site request forgery (CSRF) vulnerability in Custom Permalinks, discovered by us
- Arbitrary file deletion vulnerability in Google Drive for WordPress (wp-google-drive), discovered by Lenon Leite
- PHP object injection vulnerability in Disc Golf Manager, discovered by us
- Authenticated arbitrary file deletion vulnerability in Woo Import Export, discovered by Lenon Leite
- Cross-site request forgery (CSRF)/arbitrary file deletion vulnerability in Woo Import Export, discovered by Lenon Leite
- Arbitrary file deletion vulnerability in WP Pipes, discovered by Lenon Leite
- Arbitrary file viewing vulnerability in WP with Spritz, discovered by Wadeek
- Persistent cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Luigi Gubello
- Persistent cross-site scripting (XSS) vulnerability in Caldera Forms, discovered by Federico Scalco
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month.
- Local file inclusion (LFI) vulnerability in Simple Fields, discovered by ?
- Authenticated cross-site scripting (XSS) vulnerability in My Calendar, discovered by Luigi Gubello
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in My WordPress Login Logo, discovered by ?
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in RatingWidget, discovered by ?
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in WP Docs, discovered by us
- Settings change vulnerability in WP Image Zoom, discovered by Tom Adams of dxw
- Cross-site request forgery (CSRF)/settings change vulnerability in WP Image Zoom, discovered by Tom Adams of dxw
- Information disclosure vulnerability in RatingWidget, discovered by Tom Adams of dxw
- Settings change vulnerability in Like Button Rating ♥ LikeBtn, discovered by Tom Adams of dxw
- Information disclosure vulnerability in WP Security Audit Log, discovered by Colette Chamberland
- Reflected cross-site scripting (XSS) vulnerability in Relevanssi, discovered by Stefan Broeder