20190809 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
Maps Widget for Google Maps – Google Maps Builder
<=4.1.6, see notes4.1.7google-maps-widgetUnauthenticated Options Updatehttps://wordpress.org/plugins/google-maps-widget/UpdatePlugin
Researcher doesn't indicate when the issue was introduced, assume all previous versions
https://www.pluginvulnerabilities.com/2019/08/02/wordpress-plugin-directory-team-missed-settings-change-vulnerability-in-maps-widget-for-google-maps/
3
Essential Grid Portfolio - Photo Galleryassume allunfixedessential-gridUnauthorized Options Updatehttps://wordpress.org/plugins/essential-grid/RemovePlugin
Plugin closed in public repo
https://www.pluginvulnerabilities.com/2019/08/02/plugin-new-to-wordpress-plugin-directory-with-400000-installs-is-lacking-basic-security/
4
Donations<=1.31.4nd-donationsPrivilege Escalation via Unauthenticated Settings Updatehttps://wordpress.org/plugins/nd-donations/Update ImmediatelyPlugin
https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-donations-plugin/
5
Booking<=2.42.5nd-bookingPrivilege Escalation via Unauthenticated Settings Updatehttps://wordpress.org/plugins/nd-booking/Update ImmediatelyPlugin
https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-booking-plugin/
6
Learning Courses<=4.74.8nd-learningPrivilege Escalation via Unauthenticated Settings Updatehttps://wordpress.org/plugins/nd-learning/Update ImmediatelyPlugin
https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-learning-courses-plugin/
7
Restaurant Reservations<=1.3.41.5nd-restaurant-reservationsPrivilege Escalation via Unauthenticated Settings Updatehttps://wordpress.org/plugins/nd-restaurant-reservations/Update ImmediatelyPlugin
https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-restaurant-reservations-plugin/
8
Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
<=3.443.45popup-builderAuthenticated SQL Injectionhttps://wordpress.org/plugins/popup-builder/UpdatePlugin
https://fortiguard.com/zeroday/FG-VD-19-102
9
Login or Logout Menu Item<=1.1.11.2login-or-logout-menu-itemUnauthenticated Options Updatehttps://wordpress.org/plugins/login-or-logout-menu-item/UpdatePlugin
https://blog.nintechnet.com/unauthenticated-options-change-in-wordpress-login-or-logout-menu-item-plugin/
10
JSON APIassume allunfixedjson-apiOpen Redirecthttps://wordpress.org/plugins/json-api/RemovePlugin
Plugin was last updated 4 years ago and has been closed in public repo.
https://www.pluginvulnerabilities.com/2019/08/07/open-redirect-vulnerability-in-json-api/
11
PPOM for WooCommerceassume allunfixedppom-for-woocommerce
Authenticated Stored Cross-Site Scripting + Cross-Site Request Forgery
https://wordpress.org/plugins/ppom-for-woocommerce/RemovePlugin
https://www.pluginvulnerabilities.com/2019/08/08/this-authenticated-persistent-xss-vulnerability-might-be-what-hackers-are-targeting-ppom-for-woocommerce-for/
12
WP Photo Album Plusassume all previous7.2.05.008wp-photo-album-plusCross-Site Scriptinghttps://wordpress.org/plugins/wp-photo-album-plus/UpdatePlugin
The version numbering is unusual and there's no changelog. Assume all previous versions are vulnerable
https://plugins.trac.wordpress.org/changeset/2134232/wp-photo-album-plus/trunk/wppa-photo-admin-autosave.php
13
Simple 301 Redirects – Addon – Bulk Uploader<=1.2.41.2.5
simple-301-redirects-addon-bulk-uploader
Unknown, see noteshttps://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/UpdatePlugin
Commit message states "update security bugfix"
https://plugins.trac.wordpress.org/changeset/2136308/
14
WordPress Photo Gallery – Multipurpose Portfolio, Image Gallery & Video Gallery
<=1.0.31.0.5photo-gallery-portfolioUnknown, see noteshttps://wordpress.org/plugins/photo-gallery-portfolio/UpdatePlugin
1.0.4 and 1.0.5 change log entries state "fix security issues"
https://wordpress.org/plugins/photo-gallery-portfolio/#developers
15
LiveChat for Easy Digital Downloads<=1.3.21.3.3livechat-for-easy-digital-downloadsUnknown, see noteshttps://wordpress.org/plugins/livechat-for-easy-digital-downloads/UpdatePlugin
Changelog states "security fix for database related operations"
https://wordpress.org/plugins/livechat-for-easy-digital-downloads/#developers
16
LiveChat – WP live chat plugin for WordPress<=3.7.53.7.6wp-live-chat-software-for-wordpressUnknown, see noteshttps://wordpress.org/plugins/wp-live-chat-software-for-wordpress/UpdatePlugin
Changelog states "yet another security improvement, better security check for database operations"
https://wordpress.org/plugins/wp-live-chat-software-for-wordpress/#developers
17
ATR Server Status<=1.4.01.4.1atr-server-statusUnknown, see noteshttps://wordpress.org/plugins/atr-server-status/UpdatePlugin
Changelog states "Security update, removing leftover debug code"
https://wordpress.org/plugins/atr-server-status/#developers
18
Easy search and use CC-licensed images for WP<=0.5.01.0ls-wp-ccsearchUnknown, see noteshttps://wordpress.org/plugins/ls-wp-ccsearch/UpdatePlugin
Changelog states "sanitize input",.
https://wordpress.org/plugins/ls-wp-ccsearch/#developers
19
WP Like Button<=1.6.51.6.6wp-like-buttonSee noteshttps://wordpress.org/plugins/wp-like-button/UpdatePlugin
Changelog states "made this plugin more secure" for v1.6.2 and 1.6.3, and then iimmediate comments for 1.6.5 and 1.6.6 for "fixed issues". I'm _guessing_ they are related to the disclosed issues back at the beginning of July that were unfixed at the time.
https://wordpress.org/plugins/wp-like-button/#developers
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...