[Read more]

[Read more]

[Read more]

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Week

• Information disclosure vulnerability in WP Ultimate Exporter

Plugin Vulnerabilities We Helped Get Fixed This Week

• Authenticated persistent cross-site scripting (XSS) in Calculated Fields Form, discovered by Joaquin Ramirez Martinez

Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins

• Remote code execution vulnerability in Social Media Tab, discovered by SiteLock
• SQL injection vulnerability in WP Ultimate Exporter , discovered by Henri Salo
• Information disclosure vulnerability in WP Ultimate Exporter, discovered by us
• Cross-site request forgery (CSRF) vulnerability in More Fields, discovered by Aatif Shahdad

Additional Plugin Vulnerabilities Added This Week

• Reflected cross-site scripting (XSS) vulnerability in Testimonial Slider, discovered by SiteLock
• Reflected cross-site scripting (XSS) vulnerability in Gravity Forms, discovered by Henri Salo
• Privilege escalation vulnerability in Bulk Delete, discovered by Panagiotis Vagenas
• Cross-site request forgery (CSRF) vulnerability in CP Polls, discovered by Joaquin Ramirez Martinez
• Cross-site request forgery (CSRF)/cross-site scripting (XSS)vulnerability in CP Polls, discovered by Joaquin Ramirez Martinez
• PHP object injection in Easy Digital Downloads, discovered by Danny van Kooten

  [Read more]

Plugin Vulnerabilities We Helped Get Fixed This Week

• Cross site request forgery (CSRF) in Booking Calendar Contact Form, discovered by Joaquin Ramirez Martinez

Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins

• Authenticated persistent cross-site scripting (XSS) in Calculated Fields Form, discovered by Joaquin Ramirez Martinez

Additional Plugin Vulnerabilities Added This Week

• Reflected cross-site scripting (XSS) in WP Advanced Importer Plugin, discovered by Rahul Pratap Singh
• Reflected cross-site scripting (XSS) in CSV Import, discovered by Rahul Pratap Singh
• Reflected cross-site scripting (XSS) in Import Woocommerce, discovered by Rahul Pratap Singh
• Reflected cross-site scripting (XSS) in WP Ultimate Exporter, discovered by Rahul Pratap Singh
• Privilege escalation in Extra User Details, discovered by Panagiotis Vagenas
• Authenticated session hijacking in Calculated Fields Form, discovered by Joaquin Ramirez Martinez

Plugin Vulnerabilities Added This Week

• Cross-site request forgery (CSRF)/cross-site scripting (XSS) in ALO EasyMail Newsletter, discovered by Mohsen Lotfi
• Authenticated arbitrary file upload in Backup Guard, discovered by James Golovich
• Cross-site request forgery (CSRF) in WooCommerce – Store Exporter, discovered by James Golovich

False Vulnerability Reports

• Security Issue not in Beaver Builder Lite

Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins

• Open redirect in Clik stats, discovered by Ashiyane Digital Security Team
• Reflected cross-site scripting (XSS) in WooCommerce Currency Switcher, discovered by Ben Khlifa Fahmi

Additional Plugin Vulnerabilities Added This Week

• Reflected cross-site scripting (XSS) in InstaLinker, discovered by Persian Hack Team
• Reflected cross-site scripting (XSS) in Huge IT Image Gallery, discovered by Kacper Szurek
• Authenticated persistent cross-site scripting (XSS) in Universal Analytics, discovered by Ulrich
• Information disclosure in User Meta Manager, discovered by Panagiotis Vagenas
• Privilege escalation in WooCommerce – Store Toolkit, discovered by Panagiotis Vagenas
• Cross-site request forgery (CSRF)/information disclosure in Duplicator, discovered by RatioSec Research
• Authenticated SQL injection in Booking Calendar Contact Form, discovered by Joaquin Ramirez Martinez
• SQL injection in Booking Calendar Contact Form, discovered by Joaquin Ramirez Martinez
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) in Booking Calendar Contact Form, discovered by Joaquin Ramirez Martinez

False Vulnerability Reports

• Reflected XSS not in eShop

Plugin Vulnerabilities We Helped Get Fixed This Week

• Cross site request forgery (CSRF) in Simple add pages or posts, discovered by ALIREZA_PROMIS
• Reflected cross-site scripting (XSS) in IMPress Listings, discovered by Kris

Plugin Vulnerabilities Added This Week

• Cross site request forgery (CSRF) in Simple add pages or posts, discovered by ALIREZA_PROMIS
• Reflected cross-site scripting (XSS) in Profile Builder, discovered by Kacper Szurek
• Reflected cross-site scripting (XSS) in MailPoet Newsletters, discovered by Omar Kurt
• Authenticated SQL injection in User Meta Manager, discovered by Panagiotis Vagenas
• Privilege escalation in User Meta Manager, discovered by Panagiotis Vagenas
• Reflected cross-site scripting (XSS) in Connections Business Directory, discovered by Larry W. Cashdollar

Plugin Vulnerabilities Added This Week That Are In The Current Version of the Plugins

• Reflected cross-site scripting (XSS) vulnerability in IMPress Listings, discovered by Kris

Additional Plugin Vulnerabilities Added This Week

• SQL injection in Appointment Booking Calendar, discovered by Joaquin Ramirez Martinez
• Authenticated SQL injection in Appointment Booking Calendar, discovered by Joaquin Ramirez Martinez
• Cross-site request forgery (CSRF)/cross-site scripting (XSS) in Appointment Booking Calendar, discovered by Joaquin Ramirez Martinez
• Authenticated SQL injection in Formidable Forms, discovered by Kacper Szurek
• Reflected cross-site scripting (XSS) in WP Ultimate CSV Importer, discovered by Rahul Pratap Singh

Plugin Vulnerabilities Added This Week

• Information disclosure vulnerability in Simple Download Monitor, discovered by James Golovich
• Privilege escalation vulnerability in WordPress Download Manager, discovered by James Golovich
• Information disclosure  vulnerability in WordPress Download Manager, discovered by James Golovich