20170302 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) Affected
Fixed in Version
Plugin/Theme DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther Notes
2
Mobile App Native3.0 and earlierunfixedzen-mobile-app-nativeRemote File UploadPlugin removed from public repositoryRemove ImmediatelyPlugin
3
Analytics Stats Counter Statistics1.2.2.5 and earlierunfixedstats-counterunauthenticated PHP Object InjectionPlugin removed from public repositoryRemove ImmediatelyPlugin
4
nBill Lite3.2.2 and earlierunfixednbillunauthenticated PHP Object Injectionplugin removed from public repositoryRemove ImmediatelyPlugin
5
Simple Ads Manager2.9.8.125unfixedsimple-ads-managerunauthenticated PHP Object Injectionplugin removed from public repositoryRemove ImmediatelyPlugin
6
NextGEN Gallery2.1.77 and earlier2.1.79nextegen-galleryUnauthenticated SQL Injectionhttps://wordpress.org/plugins/nextgen-gallery/
Update immediately or remove
Plugin
7
VaultPressall versionsunfixedvaultpressMan-in-the-Middle attack, possibly remote code executionhttps://wordpress.org/plugins/vaultpress/RemovePlugin
For a full understanding, read https://sumofpwn.nl/advisory/2016/vaultpress___remote_code_execution_via_man_in_the_middle_attack.html
8
Kama Click Counter3.2.3 and earlerunfixedkama-clic-counterAuthenticated Blind SQL InjectionPlugin removed from public repositoryRemovePlugin
9
NewStatPress1.2.4 and earlierunfixednewstatpressStored Cross-Site ScriptingPlugin removed from public repositoryRemovePlugin
10
Google Analytics Dashboard2.1.1 and earlierunfixedgoogle-analytics-dashboardAuthenticated Cross-Site ScriptingPlugin removed from public repositoryRemovePlugin
11
Contact Form Manager1.4.4 and earlierunfixedcontact-form-managerCross-Site Request Forgery and Cross-Site ScriptingPlugin removed from public repositoryRemovePlugin
12
User Login Log2.2.2 and earlierunfixeduser-login-logAuthenticated Stored Cross-Site ScriptingPlugin removed from public repositoryRemovePlugin
ANY authenticated user, subscriber and above
13
WP-SpamFree Anti-Spam2.1.1.6unfixedwp-spamfreeAuthenticated Reflected Cross-Site ScriptingPlugin removed from public repositoryRemovePlugin
14
Adminer1.4.3 and 1.4.4see notesadminerPublic database loginPlugin removed from public repositoryRemovePlugin
In looking at the svn repository, they fixed the issue in v1.4.5, but the plugin has been removed from the public repository. In general, having a world-accessible direct connection to your database is a bad idea. I would suggest removing the plugin. Read more here: https://sumofpwn.nl/advisory/2016/wordpress_adminer_plugin_allows_public__local__database_login.html
15
Alpine PhotoTile for Instagram1.2.7.7 and earlierunfixedalpine-photo-tile-for-instagramReflected Cross-Site Scriptinghttps://wordpress.org/plugins/alpine-photo-tile-for-instagram/RemovePlugin
16
FormBuilder
1.0.5 and earlier (possibly all, see notes)
unfixed (see notes)
formbuilderStored Cross-Site Scriptinghttps://wordpress.org/plugins/formbuilder/RemovePlugin
Tested version was 1.0.5 with the latest version being 1.0.8. Though the initial disclosure doesn't mention it, the plugin does output the contents of user supplied data in other areas. In addition, the plugin's description mentions that the plugin is reaching end of life. I would suggest removing.
17
WP-Filebase Download Manager3.4.4 and earlierunfixedwp-filebaseReflected Cross-Site ScriptingPlugin removed from public repositoryRemovePlugin
18
Trust Form2.0 and earlier
unfixed (see notes)
trust-formReflected Cross-Site ScriptingPlugin removed from public repositoryRemovePlugin
There is a version in the svn repository (2.0.1) where it appears the author tried to address some of the disclosed vulnerabilities. However, there are other areas that are still vulnerable to cross-site scripting, which is most likely why the plugin has been removed from the public repository
19
Global Content Blocks2.1.5unfixedglobal-content-blocksCross-Site Request Forgeryplugin removed from public repositoryRemovePlugin
20
Fungif the Awesome GIFSall versionsunfixedfungifReflected Cross-Site Scriptingplugin removed from public repositoryRemovePlugin
21
Simply Symphony Adaptive Editorall versionsunfixedfluxliveReflected Cross-Site Scriptingplugin removed from public repositoryRemovePlugin
22
AuMenu1.1.4 and earlierunfixedaumenuReflected Cross-Site Scriptinghttps://wordpress.org/plugins/aumenu/RemovePlugin
23
Easy2Map Photosall versionsunfixedeasy2map-photosReflected Cross-Site Scriptingplugin removed from public repositoryRemovePlugin
24
ActiveHelper LiveHelp Love Chat4.5 and earlierunfixedactivehelper-livehelpReflected Cross-Site Scriptingplugin removed from public repositoryRemovePlugin
25
Double Opt-in for Download2.1.5 and earlierunfixeddouble-opt-in-for-downloadReflected Cross-Site Scriptingplugin removed from public repositoryRemovePlugin
26
Google XML Sitemaps4.0.8 and earlierunfixedgoogle-sitemap-generatorAuthenticated Reflected Cross-Site Scriptinghttps://wordpress.org/plugins/google-sitemap-generator/RemovePlugin
27
Raygun4WP1.8.0 and earlier1.8.1raygun4wpReflected Cross-Site Scriptinghttps://wordpress.org/plugins/raygun4wp/UpdatePlugin
28
GNUCommerce1.4.1 and earlier1.4.2gnucommerceReflected Cross-Site Scriptinghttps://wordpress.org/plugins/gnucommerce/UpdatePlugin
29
Delete Comments by Status1.5.2 and earlier1.5.3delete-comments-by-statusReflected Cross-Site Scriptinghttps://wordpress.org/plugins/delete-comments-by-statusUpdatePlugin
30
Magic Fields 11.7.1 and earlier1.7.2Magic-FieldsAuthenticated Cross-Site Scriptinghttps://github.com/hunk/Magic-Fields/releases/tag/1.7.2UpdatePlugin
31
Charitas Lite1.0.5 and earlierunfixedcharitas-liteReflected Cross-Site Scriptinghttps://wordpress.org/themes/charitas-lite/RemoveTheme
32
Atahualpa3.7.24 and earlierunfixedatahualpaAuthenticated Cross-Site Scripting and Cross-Site Request Forgeryhttps://wordpress.org/themes/atahualpa/RemoveTheme
33
Doctors0.7 and earlierunfixeddoctorsUnauthenticated Reflected Cross-Site Scriptinghttps://wordpress.org/themes/doctors/RemoveTheme
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...