20190906 Vulnerable Plugins/Themes Reported spreadsheet
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
Name
Version(s) Affected
Fixed in VersionPlugin DirectoryVulnerability
Link/Plugin Status
Suggested Action
Plugin/ThemeOther NotesSource
2
Save Abandoned Carts – WooCommerce Live Checkout Field Capture< 3.33.3
woo-save-abandoned-carts
Cross-Site Request Forgery leading to SQL injection
https://wordpress.org/plugins/woo-save-abandoned-carts
UpdatePlugin
Discoverer doesn't state versions but changelog mentions a fix in 3.3 (https://wordpress.org/plugins/woo-save-abandoned-carts/#developers)
https://www.pluginvulnerabilities.com/2019/08/30/vulnerability-details-cross-site-request-forgery-csrf-sql-injection-in-woocommerce-live-checkout-field-capture/
3
Login or Logout Menu Item<1.2.01.2.0
login-or-logout-menu-item
Weak Authentication
https://wordpress.org/plugins/login-or-logout-menu-item
UpdatePlugin
A month old, but previously unreported
https://vuldb.com/?id.141164
4
One Click SSL<1.4.71.4.7one-click-ssl
Cross-Site Request Forgery
https://wordpress.org/plugins/one-click-ssl
UpdatePlugin
https://vuldb.com/?id.141172
5
Gallery PhotoBlocks<1.1.331.1.33
photoblocks-grid-gallery
Cross-Site Request Forgery
https://wordpress.org/plugins/photoblocks-grid-gallery
UpdatePlugin
https://vuldb.com/?id.141173
6
Visitor Traffic Real Time Statistics<1.11.1
visitors-traffic-real-time-statistics
Cross-Site Request Forgery
https://wordpress.org/plugins/visitors-traffic-real-time-statistics/
UpdatePlugin
Change log thanks this, which dates from July https://www.pluginvulnerabilities.com/2019/07/03/vulnerability-details-cross-site-request-forgery-csrf-cross-site-scripting-xss-in-visitors-traffic-real-time-statistics/
https://wordpress.org/plugins/visitors-traffic-real-time-statistics/#developers
7
Sina Extension for Elementor<2.2.02.2.0
sina-extension-for-elementor
Local File Inclusion Privilege
https://wordpress.org/plugins/sina-extension-for-elementor
UpdatePlugin
https://vuldb.com/?id.141183
8
Event Tickets<= 4.10.7.14.10.7.2event-ticketsCSV injection
https://wordpress.org/plugins/event-tickets/
UpdatePlugin
https://packetstormsecurity.com/files/154295/wpeventtickets41071-inject.txt
9
Portrait-Archiv.com PhotostoreSee notes
portrait-archiv-shop
Cross-Site Scripting
https://wordpress.org/plugins/portrait-archiv-shop
RemovePlugin
Plugin is closed in the repository, but the version is 3.1, the reported version is 5.0.4
https://exploit.kitploit.com/2019/09/wordpress-portrait-archivcom-photostore.html / https://wpvulndb.com/vulnerabilities/9859
10
Ultimate Google Analytics1.6.0See Notes
ultimate-google-analytics
Cross-Site Request Forgery leading to Cross-Site Scripting
https://wordpress.org/plugins/ultimate-google-analytics/
See NotesPlugin
Plugin last updated 12 years ago, but closed (temporarily) on the repository. No sign of updates. Advise remove
https://www.pluginvulnerabilities.com/2019/09/03/cross-site-request-forgery-csrf-cross-site-scripting-xss-vulnerability-in-ultimate-google-analytics/
11
Search Exclude<1.2.2See Notessearch-exclude
Settings Change
https://wordpress.org/plugins/search-exclude
UpdatePlugin
Changelog reports a fix in version 1.2.3, but 1.2.2 is the only one available for download
https://www.pluginvulnerabilities.com/2019/09/03/settings-change-vulnerability-in-search-exclude/
12
WP BASE Booking of Appointments, Services and Events<3.5.13.5.1
wp-base-booking-of-appointments-services-and-events
PHP object Injection / see notes
https://wordpress.org/plugins/wp-base-booking-of-appointments-services-and-events/
UpdatePlugin
Plugin owner disputes weaknesses exist
https://www.pluginvulnerabilities.com/2019/09/03/our-proactive-monitoring-caught-a-php-object-injection-vulnerability-in-wp-base-booking-of-appointments-services-and-events/
13
WP Human Resource Management<2.2.15See Noteshrm
Authenticated Option Update
https://wordpress.org/plugins/hrm/
See NotesPlugin
Plugin is closed but shows recent changes
https://www.pluginvulnerabilities.com/2019/09/03/our-proactive-monitoring-caught-an-authenticated-option-update-vulnerability-being-introduced-in-to-wp-human-resource-management/
14
ConvertPlus<3.4.4See Notes
Account Creation Privilege
https://www.convertplug.com/plus/
See NotesPlugin
Plugin is premium, so hard to gauge
https://vuldb.com/?id.141207
15
Spryng Payments for WooCommerce<=1.6.7See Notes
spryng-payments-woocommerce
Cross-Site Scripting
https://wordpress.org/plugins/spryng-payments-woocommerce/
Remove Plugin
Plugin is closed and no change has been made
https://exploit.kitploit.com/2019/09/wordpress-spryng-payments-woocommerce.html
16
Melhor Envio V2
<2.6.0 (See notes)
See Notes
melhor-envio-cotacao
Multiple (see notes)
https://wordpress.org/plugins/melhor-envio-cotacao
See NotesPlugn
Discoverer doesn't report more details. The changelog is in Spanish and Google Translate doesn't show anyting obvious
https://www.pluginvulnerabilities.com/2019/09/04/vulnerability-details-multiple-in-melhor-envio-v2/
17
API Bearer Auth20181229See Notesapi-bearer-auth
Cross-Site Scripting
https://wordpress.org/plugins/api-bearer-auth/
See NotesPlugin
Plugin is closed and shows no sign of an update
https://packetstormsecurity.com/files/154369/wpapibearerauth-xss.txt
18
Groundhogg<=2.0.9.4See Notesgroundhogg
Arbitrary File Viewing
https://wordpress.org/plugins/groundhogg/
UpdatePlugin
The fix is in 2.0.9.5, but the changelog (https://wordpress.org/plugins/groundhogg/#developers) reports security fixes post this
https://www.pluginvulnerabilities.com/2019/09/05/our-proactive-monitoring-caught-an-arbitrary-file-viewing-vulnerability-in-groundhogg/
19
ECPay Logistics for WooCommerce1.2.181030See Notes
ecpay-logistics-for-woocommerce
Cross-Site Scripting
https://wordpress.org/plugins/ecpay-logistics-for-woocommerce/
RemovePlugin
Plugin is closed, and shows no sign of changes
https://exploit.kitploit.com/2019/09/wordpress-ecpay-logistics-for.html
20
Advanced Access Manager
<5.9.9 (see notes)
5.9.9
advanced-access-manager
Arbitrary File Viewing
https://wordpress.org/plugins/advanced-access-manager/
UpdatePlugin
Changelog - https://en-gb.wordpress.org/plugins/advanced-access-manager/#developers - reports a fix in 5.9.9
https://www.pluginvulnerabilities.com/2019/09/05/vulnerability-details-arbitrary-file-viewing-in-advanced-access-manager/
21
Formidable Forms Builder for WordPress – Contact Forms, Surveys & Quiz Forms PluginSee Notesformidable
Cross-Site Request Forgery
https://wordpress.org/plugins/formidable/
UpdatePlugin
Changelog has security fixes in last three versions. Update ASAP
https://www.pluginvulnerabilities.com/2019/09/06/cross-site-request-forgery-csrf-vulnerability-in-formidable-forms/
22
Influencer Marketing & Press Release SystemSee Notes
influencer-marketing
See Notes
https://wordpress.org/plugins/influencer-marketing/
See NotesPlugin
Commit changes show a potential Cross-Site Request Forgery. 2.6 in the commit changes is the fix, but it is yet to be approved by the plugin teams
https://plugins.trac.wordpress.org/changeset/2151061
23
Landing Pages by SwiftCloud1.1See Notes
swift-landing-page
See Notes
https://wordpress.org/plugins/swift-landing-page/
RemovePlugin
Commit message - https://plugins.trac.wordpress.org/changeset/2151082 - is simply "Security - deleting"
https://plugins.trac.wordpress.org/changeset/2151082
24
WooCommerce Product Bundle Choice<0.5.00.5.0
woo-bundle-choice
See Notes
https://wordpress.org/plugins/woo-bundle-choice/
UpdatePlugin
Commit message - https://plugins.trac.wordpress.org/changeset/2150148 - mentions closing security loopholes
https://plugins.trac.wordpress.org/changeset/2150148
25
PVB Contact Form 7 Calculator Add-on<1.0.71.0.7
pvb-contact-form-7-calculator
See Notes
https://wordpress.org/plugins/pvb-contact-form-7-calculator/
UpdatePlugin
Commit message - https://plugins.trac.wordpress.org/changeset/2149454 - mentions security fixes. Changelog says 1.0.7 is the fix
https://plugins.trac.wordpress.org/changeset/2149454
26
WordPress Robots.txt optimization (+ Multisite) – Website traffic, ranking & SEO Booster + Woocommerce
< 1.3.01.3.0
better-robots-txt
See Notes
https://wordpress.org/plugins/better-robots-txt/
UpdatePlugin
Commit message - https://plugins.trac.wordpress.org/changeset/2150138 - mentions security and lots of santitsation in the new code
https://plugins.trac.wordpress.org/changeset/2150138
27
Photo Gallery by 10Web – Mobile-Friendly Image Gallery<1.5.351.5.35photo-gallerySee Notes
https://wordpress.org/plugins/photo-gallery/
UpdatePlugin
Commit message - https://plugins.trac.wordpress.org/changeset/2150912 - mentions a vulnerability fix
https://plugins.trac.wordpress.org/changeset/2150912
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...