20190531 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
Hostel<=1.1.31.1.4hostelCross-Site Scriptinghttps://wordpress.org/plugins/hostel/UpdatePlugin
https://vuldb.com/?id.135644
3
Slick Popup<=1.7.1
unfixed, see notes
slick-popupPrivilege Escalationhttps://wordpress.org/plugins/slick-popup/Remove ImmediatelyPlugin
Plugin closed on public repository. Version 1.7.2 has been added to the public repo but no indication the issues have been fully resolved. Since the plugin has been closed in the public repo, even if 1.7.2 fixes all the issues, end-users wont be notified in the WordPress admin GUI.
https://www.wordfence.com/blog/2019/05/privilege-escalation-flaw-present-in-slick-popup-plugin/
4
Ultimate Membership Pro<=7.57.6indeed-membership-proArbitrary Media Uploadhttps://wordpress.org/plugins/indeed-membership-pro/UpdatePlugin
The vulnerability is that someone can upload arbitrary images to your server. Risk then is to site reputation and misuse of your systems resources.
https://wpvulndb.com/vulnerabilities/9293
5
Ultimate Membership Pro7.4.2 <= 7.57.6indeed-membership-proArbitrary Media Includehttps://wordpress.org/plugins/indeed-membership-pro/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9294
6
Event Management Tickets Booking<=1.0.5unfixedevent-monsterStored Cross-Site Scriptinghttps://wordpress.org/plugins/event-monster/RemovePlugin
https://wpvulndb.com/vulnerabilities/9290
7
Custom CSS Pro<=1.0.31.0.4custom-css-proCross-Site Request Forgery, see noteshttps://wordpress.org/plugins/custom-css-pro/UpdatePlugin
Changelog states "Added nonce to saving action, Sanitizing CSS data"
https://wordpress.org/plugins/custom-css-pro/#developers
8
Custom CSS Pro<=1.0.41.0.4custom-css-proCross-Site Scripting, see noteshttps://wordpress.org/plugins/custom-css-pro/UpdatePlugin
Changelog states "Added nonce to saving action, Sanitizing CSS data"
https://wordpress.org/plugins/custom-css-pro/#developers
9
Hustle – Pop-Ups, Slide-ins and Email Opt-ins<=6.0.76.0.8.1wordpress-popupCSV Injectionhttps://wordpress.org/plugins/wordpress-popup/UpdatePlugin
https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-csv-injection-vulnerability-in-hustle-wordpress-plugin/
10
Affiliates Manager<=2.6.52.6.6affiliates-managerUnknown, see noteshttps://wordpress.org/plugins/affiliates-manager/UpdatePlugin
Changelog states "Updated the security checks in the plugin settings."
https://wordpress.org/plugins/affiliates-manager/#developers
11
JobCareer | Job Board Responsive WordPress Theme
<=2.52.5.1jobcareerStored Cross-Site Scripting
https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636
UpdateTheme
https://wpvulndb.com/vulnerabilities/9322
12
Traveler2.7.1
unfixed, see notes
travelerReflected and Stored Cross-Site Scripting
https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
UpdateTheme
https://wpvulndb.com/vulnerabilities/9321
13
Convert Plus<=3.4.23.4.3convertplugUnauthenticated Administrator Creationhttps://www.convertplug.com/plus/Update ImmediatelyPlugin
https://www.wordfence.com/blog/2019/05/critical-vulnerability-patched-in-popular-convert-plus-plugin/, https://www.convertplug.com/plus/version-3-4-3-security-update/
14
Related YouTube Videos<=1.9.71.9.9related-youtube-videosCross-Site Request Forgery, see noteshttps://wordpress.org/plugins/related-youtube-videos/UpdatePlugin
Changelog states "security fixes: nonce + sanitization"
https://wordpress.org/plugins/related-youtube-videos/#developers
15
Paid Memberships Pro<=2.0.52.0.6paid-memberships-proAuthenticated Open Redirecthttps://wordpress.org/plugins/paid-memberships-pro/UpdatePlugin
https://www.pluginvulnerabilities.com/2019/05/30/authenticated-open-redirect-vulnerability-in-paid-memberships-pro/
16
WP Live Chat Support<=8.0.328.0.33wp-live-chat-supportUnknown, see noteshttps://wordpress.org/plugins/wp-live-chat-support/UpdatePlugin
Changelog states "Adds additional security hardening to the REST API (Reported by Jonny Milliken – Active Intelligence), Fixed DDOS Vector on the End Chat button by hiding and disabling the end chat functionality once clicked, Fixed DDOS Vector which allowed more than 2000 characters to be send as a user message. "
https://wordpress.org/plugins/wp-live-chat-support/#developers
17
Folders<=2.0.52.1.1foldersUnknown, see noteshttps://wordpress.org/plugins/folders/UpdatePlugin
Changelog states "security fixes"
https://wordpress.org/plugins/folders/#developers
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...