20190823 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
WP SVG Icons<=3.2.23.2.3svg-vector-icon-pluginCross-Site Request Forgery + Arbitrary File Uploadhttps://wordpress.org/plugins/svg-vector-icon-plugin/UpdatePlugin
https://zeroauth.ltd/blog/2019/08/09/cve-2019-14216-svg-vector-icon-plugin-wordpress-plugin-vulnerable-to-csrf-and-arbitrary-file-upload-leading-to-remote-code-execution/
3
WP Front End Profile<0.2.10.2.2wp-front-end-profilePrivilege Escalation, Cross-Site Scriptinghttps://wordpress.org/plugins/wp-front-end-profile/Update ImmediatelyPlugin
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15111
4
Import Export WordPress Users<=1.3.11.3.2
users-customers-import-export-for-wp-woocommerce
CSV Injection
https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/
Update ImmediatelyPlugin
https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/
5
Web Librarian<=3.5.43.5.5weblibrarianSQL Injectionhttps://wordpress.org/plugins/weblibrarian/Update ImmediatelyPlugin
https://wpvulndb.com/vulnerabilities/9553
6
Cache Control<=2.2.42.2.5, see notescache-controlCross-Site Request Forgery + Settings Updatehttps://wordpress.org/plugins/cache-control/UpdatePlugin
Repo shows the current version as 2.2.4, but changelog shows 2.2.5 and repository has the code committed. You might need to manually update until the dev can get the tagging issue corrected
https://wordpress.org/plugins/cache-control/#developers
7
Bold Page Builder<=2.3.12.3.3bold-page-builderUnknown, see noteshttps://wordpress.org/plugins/bold-page-builder/UpdatePlugin
Changelog for 2.3.2 and 2.3.3 state "Improved Security"
https://wordpress.org/plugins/bold-page-builder/#developers
8
WordPress Portfolio and Gallery Plugin – GridKit Gallery
<=1.8.181.8.20portfolio-wpUnknown, see noteshttps://wordpress.org/plugins/portfolio-wp/UpdatePlugin
Changelog states "Security improvements"
https://wordpress.org/plugins/portfolio-wp/#developers
9
Additional Variation Images for WooCommerce<=1.1.281.1.29woo-variation-galleryUnknown, see noteshttps://wordpress.org/plugins/woo-variation-gallery/UpdatePlugin
Changelog states "Fix: Security Update"
https://wordpress.org/plugins/woo-variation-gallery/#developers
10
Customize Social Feed<=1.2.21.2.3customize-facebook-feedUnknown, see noteshttps://wordpress.org/plugins/customize-facebook-feed/UpdatePlugin
Changelog states "Security Issue Fixed"
https://wordpress.org/plugins/customize-facebook-feed/#developers
11
Complimentary greetings card addon for WooCommerce
see notes
unfixed, see notes
byconsole-greetingcardCross-Site Scriptinghttps://wordpress.org/plugins/byconsole-greetingcard/RemovePlugin
Repo shows only the 1.0 tag. Looks like the dev updated the code, but didnt increment and retag. You'll need to manually download the newest version until the dev updates the repo.
https://plugins.trac.wordpress.org/changeset/2142989
12
FReview<=1.0.21.0.3wp-facebook-review-showcase-liteUnknown, see noteshttps://wordpress.org/plugins/wp-facebook-review-showcase-lite/UpdatePlugin
Changelog states "Security Update"
https://wordpress.org/plugins/wp-facebook-review-showcase-lite/#developers
13
Another PDF invoices and Packing slips addon for WC
<=1.0.01.0.1byconsoleorderinvoiceCross-Site Scriptinghttps://wordpress.org/plugins/byconsoleorderinvoice/UpdatePlugin
https://plugins.trac.wordpress.org/changeset/2142434
14
Social LikeBox & Feed<=2.8.52.8.6facebook-by-weblizarCross-Site Request Forgery + unknown, see noteshttps://wordpress.org/plugins/facebook-by-weblizar/UpdatePlugin
Changelog for 2.8.5 says "Fixed CSRF vulnerability" and 2.8.6 states "Escaping and Sanitation"
https://wordpress.org/plugins/facebook-by-weblizar/#developers
15
10Web Analyticsall see notes
unfixed, see notes
wd-google-analyticsUnknown, see noteshttps://wordpress.org/plugins/wd-google-analytics/RemovePlugin
Plugin is closed in public repo. Last commit states "Worked on nonces and/or checking permissions. Also, worked on sanitize, escape, and validate POST calls ".Looks like numerous issues
https://plugins.trac.wordpress.org/changeset/2144453
16
AccessPress Social Login Liteall see notes
unfixed, see notes
accesspress-social-login-liteUnknown, see noteshttps://wordpress.org/plugins/accesspress-social-login-lite/RemovePlugin
Plugin is closed in public repo. Last commit states "Fixed vulnerabilities". Appears to be at least a few Cross-Site scripting issues
https://plugins.trac.wordpress.org/changeset/2144183
17
Social Feedall see notes
unfixed, see notes
wp-social-feedUnknown, see noteshttps://wordpress.org/plugins/wp-social-feed/RemovePlugin
Plugin is closed in public repo. Last commit states "sanitized", looks like there were numerous fields that were being used without sanitation
https://plugins.trac.wordpress.org/changeset/2143517
18
WP DSGVO Tools (GDPR)all, see notesunfixedshapepress-dsgvoCross-Site Scriptinghttps://wordpress.org/plugins/shapepress-dsgvo/UpdatePlugin
https://www.pluginvulnerabilities.com/2019/08/22/gdpr-plugins-for-wordpress-continue-to-be-insecure/
19
Zero BS WordPress CRMall, see notesunfixedzero-bs-crmCross-Site Request Forgery to CRM reset (data deletion)https://wordpress.org/plugins/zero-bs-crm/Use with extreme cautionPlugin
Until a fix is made available, be *extremely* cautious
https://www.pluginvulnerabilities.com/2019/08/23/automattic-has-a-lot-of-work-to-do-on-the-security-of-the-zero-bs-wordpress-crm-plugin/
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...