20190705 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
Gallery Photoblocks<=1.1.401.1.41photoblocks-grid-galleryCross-Site Scripting, possibly full-path disclosurehttps://wordpress.org/plugins/photoblocks-grid-gallery/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9425
3
Zoner - Real Estate<=4.14.1.1zonerCross-Site Scripting and Stored Cross-Site Scriptinghttps://themeforest.net/item/zoner-real-estate-wordpress-theme/9099226UpdateTheme
https://wpvulndb.com/vulnerabilities/9424
4
MyBookTable<=3.2.23.2.3mybooktableCross-Site Scriptinghttps://wordpress.org/plugins/mybooktable/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9423
5
Ocean Extra<=1.5.81.5.9ocean-extraUnauthenticated Settings Updatehttps://wordpress.org/plugins/ocean-extra/UpdatePlugin
https://blog.nintechnet.com/settings-change-and-css-injection-in-wordpress-ocean-extra-plugin/
6
Ocean Extra<=1.5.81.5.9ocean-extraCSS Injectionhttps://wordpress.org/plugins/ocean-extra/UpdatePlugin
https://blog.nintechnet.com/settings-change-and-css-injection-in-wordpress-ocean-extra-plugin/
7
Ocean Extra<=1.5.81.5.9ocean-extraCross-Site Request Forgeryhttps://wordpress.org/plugins/ocean-extra/UpdatePlugin
https://blog.nintechnet.com/settings-change-and-css-injection-in-wordpress-ocean-extra-plugin/
8
Essential Real Estate<=1.7.11.7.2essential-real-estateCross-Site Scriptinghttps://wordpress.org/plugins/essential-real-estate/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9421
9
Visitors Traffic Real Time Statistics<=1.111.13visitors-traffic-real-time-statistics
Cross-Site Request Forgery to Stored Cross-Site Scripting/SQL Injection
https://wordpress.org/plugins/visitors-traffic-real-time-statistics/UpdatePlugin
https://dannewitz.ninja/posts/visitors-traffic-real-time-statistics-csrf-to-stored-xss
10
WP Statistics<=12.6.6.112.6.7wp-statisticsStored Cross-Site Scriptinghttps://wordpress.org/plugins/wp-statistics/UpdatePlugin
https://blog.sucuri.net/2019/07/wordpress-plugin-wp-statistics-unauthenticated-stored-xss-under-certain-configurations.html
11
WP Statistics<=12.6.6.112.6.7wp-statisticsUnauthenticated Blind SQL Injectionhttps://wordpress.org/plugins/wp-statistics/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9412
12
Simple Mail Address Encoder<=1.6.11.7simple-mail-address-encoderAuthenticated Cross-Site Scriptinghttps://wordpress.org/plugins/simple-mail-address-encoder/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9418
13
Insert or Embed Articulate Content into WordPress
<=4.29994.29991
insert-or-embed-articulate-content-into-wordpress
Authenticated Arbitrary Folder Deletion/Rename
https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/
Update ImmediatelyPlugin
"...it [is] possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders"
https://wpvulndb.com/vulnerabilities/9416
14
Support Board - Chat And Help Desk | Support & Chat
<=1.2.81.2.9supportboardCross-Site Scriptinghttps://codecanyon.net/item/support-board-chat-and-help-desk/20752085UpdatePlugin
Changelog states "SECURITY FIX - XSS security fix"
https://codecanyon.net/item/support-board-chat-and-help-desk/20752085
15
360 Product Rotation<=1.4.71.4.8360-product-rotationCross-Site Scriptinghttps://wordpress.org/plugins/360-product-rotation/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9405
16
MapsSVG Liteassume all, see notesunfixedmapsvg-lite-interactive-vector-mapsAuthenticated Arbitrary File Uploadhttps://wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/Remove ImmediatelyPlugin
Researcher doesn't state when vulnerability was introduced into the codebase, assume all. Plugin is now closed in public repo.
https://www.pluginvulnerabilities.com/2019/06/28/our-proactive-monitoring-caught-an-authenticated-arbitrary-file-upload-vulnerability-in-the-wordpress-plugin-mapsvg-lite/
17
WP Like Buttonassume all, see notesunfixedwp-like-buttonUnauthenticated Settings Updatehttps://wordpress.org/plugins/wp-like-button/RemovePlugin
Researcher doesn't state when vulnerability was introduced into the codebase, assume all.
https://limbenjamin.com/articles/wp-like-button-auth-bypass.html
18
Server Status by Hostname/IPassume all, see notesunfixedserver-status-by-hostnameipAuthenticated Cross-Site Scriptinghttps://wordpress.org/plugins/server-status-by-hostnameip/RemovePlugin
Researcher doesn't state when vulnerability was introduced into the codebase, assume all. Plugin is now closed in public repo.
https://github.com/ivoschyk-cs/exploit_wp/blob/master/CVE-2019-12570 via https://vuldb.com/?id.137286
19
Essential Real Estate<=1.7.11.7.2essential-real-estateCross-Site Scriptinghttps://wordpress.org/plugins/essential-real-estate/UpdatePlugin
Changelog states "Fix: Reflected XSS" for 1.7.2 and "Fix: Reflected XSS" for 1.7.1
https://wordpress.org/plugins/essential-real-estate/#developers
20
Newslettersassume all, see notesunfixednewsletters-liteCross-Site Scriptinghttps://wordpress.org/plugins/newsletters-lite/Remove, see notesPlugin
Researcher doesn't state when vulnerability was introduced into the codebase, assume all. Plugin is now closed in public repo. There was a commit (tagged 4.6.15) two days that states "Security, library, etc. fixes" so hopefully an update will be available soon
https://www.pluginvulnerabilities.com/2019/07/01/reflected-cross-site-scripting-xss-vulnerability-in-newsletters/
21
Newslettersassume all, see notesunfixednewsletters-liteAuthenticated Remote Code Executionhttps://wordpress.org/plugins/newsletters-lite/Remove, see notesPlugin
Researcher doesn't state when vulnerability was introduced into the codebase, assume all. Plugin is now closed in public repo. There was a commit (tagged 4.6.15) two days that states "Security, library, etc. fixes" so hopefully an update will be available soon
https://www.pluginvulnerabilities.com/2019/07/01/reflected-cross-site-scripting-xss-vulnerability-in-newsletters/
22
Appointment Booking Calendar<=1.3.191.3.20appointment-booking-calendarCross-Site Scriptinghttps://wordpress.org/plugins/appointment-booking-calendar/UpdatePlugin
https://www.pluginvulnerabilities.com/2019/07/03/hackers-look-to-be-targeting-the-wordpress-plugin-appointment-booking-calendar-which-is-yet-another-insecure-plugin-from-code-people/
23
Vertical News Scroller<=1.91.10vertical-news-scrollerCross-Site Scriptinghttps://wordpress.org/plugins/vertical-news-scroller/UpdatePlugin
Changelog states "Vulnerability fixes. Sanitize, escape, and validate your POST/GET."
https://wordpress.org/plugins/vertical-news-scroller/#developers
24
WooCommerce<=3.6.43.6.5woocommerceCross-Site Request Forgery, see noteshttps://wordpress.org/plugins/woocommerce/UpdatePlugin
Changelog states "Security – Introduce file type check for tax rate importer. Security – Added nonce check to CSV importer actions.."
https://wordpress.org/plugins/woocommerce/#developers
25
easy pdf restaurant menu upload<=1.1.21.2easy-pdf-restaurant-menu-uploadCross-Site Scriptinghttps://wordpress.org/plugins/easy-pdf-restaurant-menu-upload/UpdatePlugin
Commit message states "fixed xss"
https://plugins.trac.wordpress.org/changeset/2114753
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...