20190628 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
360 Product Rotation<=1.4.71.4.8360-product-rotationCross-Site Scriptinghttps://wordpress.org/plugins/360-product-rotation/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9405
3
Widget Logic<=5.9.05.10.2widget-logicCross-Site Request Forgery to Remote Code Executionhttps://wordpress.org/plugins/widget-logic/Update ImmediatelyPlugin
https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
4
Widget Logicassume all, see notesunfixedwidget-logicCross-Site Request Forgery to Settings Updatehttps://wordpress.org/plugins/widget-logic/Use with caution, see notesPlugin
Seems there is a different CSRF issue that has not been addressed yet.
https://www.pluginvulnerabilities.com/2019/06/27/if-there-was-a-security-audit-of-the-300000-install-wordpress-plugin-widget-logic-it-missed-a-pretty-obvious-vulnerability/
5
Block WP Login<=1.3.01.3.2block-wp-loginCross-Site Request Forgeryhttps://wordpress.org/plugins/block-wp-login/Update ImmediatelyPlugin
https://wpvulndb.com/vulnerabilities/9401
6
Block WP Login<=1.3.01.3.2block-wp-loginUnauthorized Settings Updatehttps://wordpress.org/plugins/block-wp-login/Update ImmediatelyPlugin
https://wpvulndb.com/vulnerabilities/9401
7
ACF Better Search<=3.3.03.3.1acf-better-searchCross-Site Request Forgery to Settings Updatehttps://wordpress.org/plugins/acf-better-search/Update ImmediatelyPlugin
https://www.pluginvulnerabilities.com/2019/06/26/cross-site-request-forgery-csrf-settings-change-vulnerability-in-acf-better-search/
8
SAML SP Single Sign On<=4.8.724.8.73saml-sp-single-sign-onCross-Site Scriptinghttps://wordpress.org/plugins/saml-sp-single-sign-on/UpdatePlugin
https://zeroauth.ltd/blog/2019/05/27/cve-2019-12346-miniorange-saml-sp-single-sign-on-wordpress-plugin-xss/ via https://nvd.nist.gov/vuln/detail/CVE-2019-12346
9
WP Better Permalinks<=3.0.43.0.5wp-better-permalinksCross-Site Request Forgery to Settings Updatehttps://wordpress.org/plugins/wp-better-permalinks/Update ImmediatelyPlugin
https://wpvulndb.com/vulnerabilities/9398
10
Author Chat<=1.9.02.0.0author-chatUnknown, see noteshttps://wordpress.org/plugins/author-chat/UpdatePlugin
Changelog states "Security fix"
https://wordpress.org/plugins/author-chat/#developers
11
WebP Converter for Media<=1.0.21.0.3webp-converter-for-mediaCross-Site Request Forgeryhttps://wordpress.org/plugins/webp-converter-for-media/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9400
12
Admin Renamer Extendedassume allunfixedadmin-renamer-extendedCross-Site Request Forgeryhttps://wordpress.org/plugins/admin-renamer-extended/Remove, see notesPlugin
Researcher doesn't state when issue was introduced into the codebase. Assume all. Plugin removed from public repository
https://www.pluginvulnerabilities.com/2019/06/24/cross-site-request-forgery-csrf-vulnerability-in-admin-renamer-extended/
13
SEO by Rank Math<=1.0.271.0.27.1seo-by-rank-mathAuthenticated Authenticated Settings Change/resethttps://wordpress.org/plugins/seo-by-rank-math/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9375
14
Ads for WPassume allunfixedads-for-wpCross-Site Request Forgeryhttps://wordpress.org/plugins/ads-for-wp/Remove, see notesPlugin
Plugin removed from public repository
https://wpvulndb.com/vulnerabilities/9395
15
Deny All Firewall<=1.1.61.1.7deny-all-firewallCross-Site Request Forgery to removing htaccess ruleshttps://wordpress.org/plugins/deny-all-firewall/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9379
16
WP Ultimate Recipe<=3.12.63.12.7wp-ultimate-recipeAuthenticated Stored Cross-Site Scriptinghttps://wordpress.org/plugins/wp-ultimate-recipe/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9394
17
CP Contact Form with PayPal<=1.2.971.2.98cp-contact-form-with-paypalCross-Site Scriptinghttps://wordpress.org/plugins/cp-contact-form-with-paypal/UpdatePlugin
wpvulndb page states <=1.3.01 and fixed in 1.3.02 but if you follow the reference fix was introduced in 1.2.98
https://wpvulndb.com/vulnerabilities/9381
18
Custom 404 Pro<=3.2.93.2.10custom-404-proAuthenticated Cross-Site Scriptinghttps://wordpress.org/plugins/custom-404-pro/UpdatePlugin
Seems there were additional issues. Changelog for 3.2.10 states "more updates and fixes"
https://wpvulndb.com/vulnerabilities/9382
19
Import Users from CSV with Meta<=1.14.1.31.14.2.2import-users-from-csv-with-metaCross-Site Request Forgery to attachment deletionhttps://wordpress.org/plugins/import-users-from-csv-with-meta/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9392
20
HTML5 Maps<=1.6.5.61.6.5.7html5-mapsCross-Site Request Forgeryhttps://wordpress.org/plugins/html5-maps/UpdatePlugin
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000041.html
21
Custom CSS Pro<=1.0.31.0.4custom-css-proCross-Site Request Forgeryhttps://wordpress.org/plugins/custom-css-pro/UpdatePlugin
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000042.html
22
Live Chat Unlimited<=2.8.32.8.4, see notesscreets-lcxCross-Site Scriptinghttps://screets.com/UpdatePlugin
Paid plugin so I don't have access to code, but version 2.8.4 was just released with note "Fixed paste issue on reply" and I was unable to replicate PoC
https://exploit.kitploit.com/2019/06/wordpress-live-chat-unlimited-283-cross.html
23
iLive - Intelligent WordPress Live Chat Support Plugin
assume all
unfixed, see notes
iliveStored Cross-Site Scriptinghttp://www.ilive.wpapplab.com/Remove, see notesPlugin
Paid plugin so I don't have access to code. Last release was 2017 so unlikely it will be updated soon
https://cxsecurity.com/issue/WLB-2019060166
24
Plugin Info Card<=2.3.62.3.7wp-plugin-info-cardAuthenticated Cross-Site Scriptinghttps://wordpress.org/plugins/wp-plugin-info-card/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9380
25
Advanced Woo Search<=1.681.70advanced-woo-searchCross-Site Request Forgery to Cross-Site Scriptinghttps://wordpress.org/plugins/advanced-woo-search/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9384
26
User Email Verfication for WooCommerce<=3.3.03.4.0woo-confirmation-emailCross-Site Request Forgery to Options Updatehttps://wordpress.org/plugins/woo-confirmation-email/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9386
27
Limb Galleryassume allunfixedlimb-galleryCross-Site Scriptinghttps://wordpress.org/plugins/limb-gallery/RemovePlugin
Researcher doesn't state when issue was introduced into the codebase. Assume all. Plugin removed from public repository
https://www.pluginvulnerabilities.com/2019/06/26/what-would-hackers-be-interested-in-the-wordpress-plugin-limb-gallery-for/
28
Sina Extension For Elementor<=2.2.02.2.1sina-extension-for-elementorLocal File Inclusionhttps://wordpress.org/plugins/sina-extension-for-elementor/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9368
29
Watu Quiz<=3.1.2.53.1.2.6watuCross-Site Scriptinghttps://wordpress.org/plugins/watu/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9409
30
Ultimate Memberassume all
unfixed, see notes
ultimate-memberArbitrary Password Resethttps://wordpress.org/plugins/ultimate-member/Remove, see notesPlugin
Disclosure states fix is scheduled for v2.4 but wont be out until September, since this is a premium plugin, I do not have access to the source to verify. Remove or use with extreme caution. I would also encourage you to contact the vendor and ask them about the status of the fix
https://cxsecurity.com/issue/WLB-2019060101
31
WebP Expresssee notes0.14.18webp-expressMultiple, see noteshttps://wordpress.org/plugins/webp-express/UpdatePlugin
There were 8 security-related releases in the last week which includes one just a few moments ago. CRSF and LFI were both mentioned in the changelog
https://wordpress.org/plugins/webp-express/#developers
32
Advanced Classifieds & Directory Prosee notes1.7.0
advanced-classifieds-and-directory-pro
Unknown, see noteshttps://wordpress.org/plugins/advanced-classifieds-and-directory-pro/UpdatePlugin
Changelog states "Fix: security fix"
https://wordpress.org/plugins/advanced-classifieds-and-directory-pro/#developers
33
LiveChatsee notes3.7.4wp-live-chat-software-for-wordpressUnknown, see noteshttps://wordpress.org/plugins/wp-live-chat-software-for-wordpress/UpdatePlugin
Changelog states "security fixes"
https://wordpress.org/plugins/wp-live-chat-software-for-wordpress/#developers
34
Excel Like Product Attribute and Tag Managersee notessee notes
excel-like-product-attribute-and-tag-manager
Unknown, see noteshttps://wordpress.org/plugins/excel-like-product-attribute-and-tag-manager/Remove, see notesPlugin
Plugin was closed in public repo back on June 6, recent update in trac states "MAJOR SECURITY FIXUP" which hopefully fixes whatever issues were present. Since the plugin is still closed you will need to manually update the plugin from source
https://plugins.trac.wordpress.org/changeset/2113044
35
Single Sign On for Windowssee notes4.9.9miniorange-windows-single-sign-onUnknown, see noteshttps://wordpress.org/plugins/miniorange-windows-single-sign-on/UpdatePlugin
Changelog states "Security fixes"
https://wordpress.org/plugins/miniorange-windows-single-sign-on/#developers
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...