What Happened With WordPress Plugin Vulnerabilities in October 2017
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during October (and what you have been missing out on if you haven’t signed up yet, which you can currently do for half off):
Plugin Security Reviews
Paid customers of the service can suggest and vote on plugins to have a security review done by us.
We don’t currently have any more plugins queued up for a review, so if you sign up now for the service, a plugin you suggest could be reviewed right away.
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
There were not any really concerning vulnerabilities this month as either the plugins are not widely used or the vulnerabilities would not be all that useful for untargeted attacks (which are the vast majority of them).
- Authenticated arbitrary file upload vulnerability in WordPress Book List
- Arbitrary file viewing vulnerability in WP Post Popup
- Cross-site scripting (XSS) vulnerability in WP Post Popup
- Authenticated PHP object injection vulnerability in Event List
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Event List
- Cross-site request forgery (CSRF) vulnerability in Event List
- Tweet sending vulnerability in TwitterCart
- Authenticated option deletion vulnerability in My WP Translate
- Arbitrary file viewing vulnerability in Candidate Application Form
- Authenticated arbitrary file viewing vulnerability in Awesome Support
- Authenticated arbitrary file deletion vulnerability in Awesome Support
- Restricted file upload vulnerability in Social Articles
- Authenticated local file inclusion (LFI) vulnerability in PluginOps Page Builder
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 589,980+ active installs:
- Reflected cross-site scripting (XSS) vulnerability in Google Pagespeed Insights, discovered by ?
- Reflected cross-site scripting (XSS) in WooCommerce PDF Invoices & Packing Slips, discovered by ?
- Arbitrary file viewing vulnerability in WP Post Popup, discovered by us
- Cross-site scripting (XSS) vulnerability in WP Post Popup, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Crelly Slider, discovered by ?
- Authenticated PHP object injection vulnerability in Event List, discovered by us
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Event List, discovered by us
- Tweet sending vulnerability in TwitterCart, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in My WP Translate, discovered by ?
- Authenticated option deletion vulnerability in My WP Translate, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Booking Calendar, discovered by ?
- Flash cross-site scripting (XSS) vulnerability in Caldera Forms, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in pootle button, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Simple Membership, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in My Tickets, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Max Mega Menu, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Product Catalog, discovered by ning1022
- Authenticated SQL injection vulnerability in Product Catalog, discovered by ning1022
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Product Catalog, discovered by ning1022
- Authenticated PHP object injection vulnerability in Media Library Assistant, discovered by us
- Cross-site request forgery(CSRF)/ PHP object injection vulnerability in Media Library Assistant, discoverer by us
- Reflected cross-site scripting (XSS) vulnerability in WP-Members, discovered by ?
- Authenticated arbitrary file viewing vulnerability in Awesome Support, discovered by ?
- Authenticated arbitrary file deletion vulnerability in Awesome Support, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Popup by Supsystic, discovered by ?
- Restricted file upload vulnerability in Social Articles, discovered by us
- Authenticated local file inclusion (LFI) vulnerability in PluginOps Page Builder, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Authenticated arbitrary file upload vulnerability in WordPress Book List, discovered by us
- Cross-site request forgery (CSRF) vulnerability in Event List, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in TR Easy Google Analytics, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Influencer Marketing & Press Release System, discovered by neorichi
- Persistent cross-site scripting (XSS) vulnerability in Front-End Only Users, discovered by Daniele Scasciafratte
- Arbitrary file viewing vulnerability in Candidate Application Form, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Use Any Font, discovered by ?
- Reflected cross-site scripting (XSS)vulnerability in Duplicate Page, discovered by ?
- Authenticated SQL injection vulnerability in Duplicate Page, discovered by ?
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Duplicate Page, discovered by ?
- Cross-site request forgery (CSRF) vulnerability in Duplicate Page, discovered by us
- Authenticated information disclosure vulnerability in Duplicate Page, discovered by us
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month. The most concerning of the bunch was the arbitrary file upload vulnerability in Facebook Like Box, which was possibly intentionally added to the plugin.
- Reflected cross-site scripting (XSS) vulnerability in Google Pagespeed Insights, discovered by ?
- PHP object injection vulnerability in Flickr Gallery, discovered by Wordfence
- Reflected cross-site scripting (XSS) in WooCommerce PDF Invoices & Packing Slips, discovered by ?
- Arbitrary file viewing vulnerability in WP Post Popup, discovered by us
- Cross-site scripting (XSS) vulnerability in WP Post Popup, discovered by us
- Arbitrary file viewing vulnerability in mb.miniAudioPlayer, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Crelly Slider, discovered by ?
- Cross-site request forgery (CSRF) vulnerability in Crelly Slider, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Event List, discovered by ning1022
- Authenticated PHP object injection vulnerability in Event List, discovered by us
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Event List, discovered by us
- Tweet sending vulnerability in TwitterCart, discovered by us
- Authenticated local file inclusion (LFI) vulnerability in Insert Pages, discovered by ?
- Authenticated SQL query execution vulnerability in EZ SQL Reports Shortcode Widget and DB Backup, discovered by J.D. Grimes
- Reflected cross-site scripting (XSS) vulnerability in My WP Translate, discovered by ?
- Authenticated option deletion vulnerability in My WP Translate, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Booking Calendar, discovered by ?
- Flash cross-site scripting (XSS) vulnerability in Caldera Forms, discovered by ?
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Simple Login Log, discovered by DefenseCode
- Reflected cross-site scripting (XSS) vulnerability in PopCash.Net Code Integration Tool, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in pootle button, discovered by Ricardo Sanchez
- Reflected cross-site scripting (XSS) vulnerability in Simple Membership, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in My Tickets, discovered by ?
- Authenticated persistent cross-site scripting (XSS) vulnerability in StarBox, discovered by ?
- Cross-site request forgery (CSRF)/settings change vulnerability in Facebook Like Box, discovered by ?
- Arbitrary file upload vulnerability in Facebook Like Box, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in External Media without Import, discovered by Mike Vastola
- Reflected cross-site scripting (XSS) vulnerability in Max Mega Menu, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Product Catalog, discovered by ning1022
- Authenticated SQL injection vulnerability in Product Catalog, discovered by ning1022
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Product Catalog, discovered by ning1022
- Reflected cross-site scripting (XSS) vulnerability in WP-Members, discovered by ?
- Authenticated arbitrary file viewing vulnerability in Awesome Support, discovered by ?
- Authenticated arbitrary file deletion vulnerability in Awesome Support, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Popup by Supsystic, discovered by ?
- SQL injection vulnerability in Poll, discovered by Manish Kishan Tanwar
- Restricted file upload vulnerability in Social Articles, discovered by us
- SQL injection vulnerability in Ultimate Form Builder Lite, discovered by Wordfence and others
- Local file inclusion (LFI) vulnerability in PluginOps Page Builder, discovered by ?
- Authenticated local file inclusion (LFI) vulnerability in PluginOps Page Builder, discovered by us
- Page moving vulnerability in CMS Tree Page View, discovered by dxwsecurity and sheenas
- Authenticated formula injection via CSV vulnerability in WordCamp Talks, discovered by whitehatter
- Reflected cross-site scripting (XSS) vulnerability in Caldera Forms, discovered by Will Brand
- Reflected cross-site scripting (XSS) vulnerability in User Login History, discovered by Nicolas Buzy-Debat