20190802 Vulnerable Plugins/Themes Reportled spreadsheet
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
Name
Version(s) Affected
Fixed in VersionPlugin DirectoryVulnerability
Link/Plugin Status
Suggested Action
Plugin/ThemeOther NotesSource
2
Woody Ad Snippets<2.2.52.2.5insert-php
Unauthenticated Options, Persistent Cross-Site Scripting and Remote code execution
https://wordpress.org/plugins/insert-php/
UpdatePlugin
No details on versions affected, changelog has security fix under 2.2.5
https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/
3
Woody Ad Snippets<2.2.52,2,5insert-php
Post deletion (part of the remote code execution covered above)
https://wordpress.org/plugins/insert-php/
UpdatePlugin
No details on versions affected, changelog has security fix under 2.2.5
https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/
4
Blog2Social<=5.5.0?blog2socialSQL injection
https://wordpress.org/plugins/blog2social/
See NotesPlugin
Nothing in changelog
https://wpvulndb.com/vulnerabilities/9476
5
Photo Gallery<=1.5.301.5.31photo-gallerySQL injection
https://wordpress.org/plugins/photo-gallery/
UpdatePlugin
Changelog reports fix in 1.5.31
https://wpvulndb.com/vulnerabilities/9480
6
JoomSport< 3.3?
joomsport-sports-league-results-management
SQL injection
https://wordpress.org/plugins/joomsport-sports-league-results-management/
UpdatePlugin
Nothing security wise in changelong
https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
7
GigToDo<=1.3??
Cross-Site Scripting
https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
See NotesPlugin
Noting in site changelog
https://packetstormsecurity.com/files/153803/gigtodo13-xss.txt
8
Simple Membership< 3.8.43.8.6
simple-membership
Settings Change
https://wordpress.org/plugins/simple-membership/
UpdatePlugin
Discoverer rates this as "possible". Change log reports nonce fix in 3.8.6 which has happened on Friday 2nd August. 3.8.5 adds a nonce check which helps reduce likelihood of cross-=site scripting
https://www.pluginvulnerabilities.com/2019/08/01/wordpress-plugin-directory-team-missed-possible-settings-change-vulnerability-in-simple-membership/
9
WC Duplicate Order1.5
wc-duplicate-order
Privilege Escalation and Cross-Site Request Forgery
https://wordpress.org/plugins/wc-duplicate-order/
RemovePlugin
Plugin hasn't been updated in a long time, no version details published, assume all
https://www.pluginvulnerabilities.com/2019/07/29/wordpress-plugin-security-review-wc-duplicate-order/
10
ImportWP<1.1.61.1.7jc-importerPost deletion
https://wordpress.org/plugins/jc-importer/
UpdatePlugin
No details on versions affected, assume all under 1.1.7
11
Animate it!<2.3.62.3.6animate-it
Cross-Site Request Forgery (CSRF)/Cross-Site Scripting
https://wordpress.org/plugins/animate-it/
Changelog reports security fixes in 2.3.6
https://www.pluginvulnerabilities.com/2019/07/29/vulnerability-details-cross-site-request-forgery-csrf-cross-site-scripting-xss-in-animate-it/
12
Taonomy Convertor<1.21.2
taxonomy-converter
Reflected Cross-site scripting
https://wordpress.org/plugins/taxonomy-converter/
Possible last week -> confirmed this week
https://www.pluginvulnerabilities.com/2019/07/29/vulnerability-details-reflected-cross-site-scripting-xss-in-taxonomy-converter/
13
Variation Swatches for WooCommerce<=1.0.61
woo-variation-swatches
Reflected Cross-site scripting
https://wordpress.org/plugins/woo-variation-swatches/
See NotesPlugin
Plugin has been updated in the last week but remains closed
https://www.pluginvulnerabilities.com/2019/07/30/reflected-cross-site-scripting-xss-vulnerability-in-woocommerce-variation-swatches/
14
GA Top post for WP by Asentechllc<= 1.0ga-top-posts
Restricted File Upload
https://wordpress.org/plugins/ga-top-posts/
See NotesPlugin
Plugin has been updated in the last week but remains closed
https://www.pluginvulnerabilities.com/2019/07/30/our-proactive-monitoring-caught-a-restricted-file-upload-vulnerability-in-the-brand-new-wordpress-plugin-ga-top-posts/
15
Theme Check< 20190801.120190801.1theme-check
Cross-site Request Forgery
https://wordpress.org/plugins/theme-check/
UpdatePlugin
Version numbers are time based. Changelog reports vulnerability is limited in scope to checking a theme
https://www.pluginvulnerabilities.com/2019/07/31/there-is-a-csrf-vulnerability-in-a-wordpress-plugin-with-80000-installs-developed-by-one-of-the-six-people-running-the-plugin-directory/
16
uListing<= 1.2.2ulisting
Authenticated Arbitrary File Upload
https://wordpress.org/plugins/ulisting/
See NotesPlugin
Plugin has been updated in the last week but remains closed
https://www.pluginvulnerabilities.com/2019/07/31/our-proactive-monitoring-caught-an-authenticated-arbitrary-file-upload-vulnerability-in-being-introduced-in-to-ulisting/
17
Nested Pages<=3.0.73.0.8
wp-nested-pages
Post Edit Bypass
https://wordpress.org/plugins/wp-nested-pages/
UpdatePlugin
Changelog reports a fix for post editing in 3.0.8
https://wpvulndb.com/vulnerabilities/9484
18
WP Shopify<=2.0.5wpshopify
Information Disclosure
https://wordpress.org/plugins/wpshopify/
See NotesPlugin
Plugin has been updated in the last week but remains closed
https://www.pluginvulnerabilities.com/2019/08/01/vulnerability-details-information-disclosure-in-wp-shopify/
19
WP Shopify<=2.0.5wpshopify
Persistent Cross-site scripting
https://wordpress.org/plugins/wpshopify/
See NotesPlugin
Plugin has been updated in the last week but remains closed
https://www.pluginvulnerabilities.com/2019/08/01/settings-change-to-persistent-cross-site-scripting-xss-vulnerability-in-wp-shopify/
20
Ultimate Loan Manager2.0?
Persistent Cross-site scripting
https://codecanyon.net/item/ultimate-loan-manager/19891884
See NotesPlugin
No versions greater than 2.0 to install
https://packetstormsecurity.com/files/153856/ulm20-xss.txt
21
Maps Widget for Google Maps – Best Maps Plugin
<4.1.64.1.6
google-maps-widget
See Notes
https://wordpress.org/plugins/google-maps-widget/
See NotesPlugin
Possible Remote Code Execution / Cross-Site Scripting
https://plugins.trac.wordpress.org/changeset/2131353
22
Maps Widget for Google Maps – Best Maps Plugin
<4.1.6
google-maps-widget
Settings Change vulnerability
https://wordpress.org/plugins/google-maps-widget/
Remove, See Notes
Plugin
Discoverer places this as post the most recent fix, so current version has weakness
https://www.pluginvulnerabilities.com/2019/08/02/wordpress-plugin-directory-team-missed-settings-change-vulnerability-in-maps-widget-for-google-maps/
23
Easy Property Listings<= 3.3.5
easy-property-listings
See Notes
https://wordpress.org/plugins/easy-property-listings/
See NotesPlugin
Possible Cross-Site Request Forgery
https://plugins.trac.wordpress.org/changeset/2127777
24
Travel Management<=1.51.6nd-travel
Unauthenticated Options Change
https://wordpress.org/plugins/nd-travel/
UpdatePlugin
https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-travel-management-plugin/
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...