20190201Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
Meta Box4.16.1 and earlier4.16.2meta-boxAuthenticated Arbitrary File Upload, see noteshttps://wordpress.org/plugins/meta-box/Update ImmediatelyPlugin
Source indicates a file upload issue was corrected.
https://github.com/wpmetabox/meta-box/blob/master/CHANGELOG.md
3
Slider by 10Web – Responsive Image Sliderall, see notesunfixedslider-wdArbitrary File Uploadhttps://wordpress.org/plugins/slider-wd/
Remove Immediately, see notes
Plugin
Plugin removed from public repository. A new version was checked into the wordpress repository, but the plugin's account is still disabled (meaning you won't be notified in your WordPress instance). Suggest removing until fix is available publicly.
https://www.pluginvulnerabilities.com/2019/01/29/our-proactive-monitoring-caught-a-csrf-arbitrary-file-upload-vulnerability-in-a-wordpress-plugin-with-70000-installs/
4
Slider by 10Web – Responsive Image Sliderall, see notesunfixedslider-wdCross-Site Request Forgeryhttps://wordpress.org/plugins/slider-wd/
Remove Immediately, see notes
Plugin
Plugin removed from public repository. A new version was checked into the wordpress repository, but the plugin's account is still disabled (meaning you won't be notified in your WordPress instance). Suggest removing until fix is available publicly.
https://www.pluginvulnerabilities.com/2019/01/29/our-proactive-monitoring-caught-a-csrf-arbitrary-file-upload-vulnerability-in-a-wordpress-plugin-with-70000-installs/
5
Download Managerall, see notesunfixeddownload-managerCross-Site Scriptinghttps://wordpress.org/plugins/download-manager/RemovePlugin
Researcher doesn't indicate when vulnerabilty was introduced, assume all.
https://www.pluginvulnerabilities.com/2019/01/28/full-disclosure-of-reflected-cross-site-xss-vulnerability-in-wordpress-plugin-with-100000-installs/
6
Yasr – Yet Another Stars Rating1.8.6 and earlier1.8.7yet-another-stars-ratingObject Injectionhttps://wordpress.org/plugins/yet-another-stars-rating/UpdatePlugin
https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress
7
Smart Forms2.6.13 and earlier, see notes2.6.14smart-formsCross-Site Scriptinghttps://wordpress.org/plugins/smart-forms/UpdatePlugin
Researcher doesn't indicate when vulnerabilty was introduced, assume all previous.
https://www.pluginvulnerabilities.com/2019/01/25/reflected-cross-site-scripting-xss-vulnerability-in-smart-forms/
8
Diamond Multisite Widgetsall, see notesunfixeddiamond-multisite-widgetsSQL Injectionhttps://wordpress.org/plugins/diamond-multisite-widgets/RemovePlugin
Researcher doesn't indicate when vulnerabilty was introduced, assume all previous. Plugin was last updated 4 years ago, you should assume it will not be fixed
https://cxsecurity.com/issue/WLB-2019010253
9
Health Check & Troubleshooting1.2.3 and earlier1.2.4health-checkAuthenticated Directory Traversalhttps://wordpress.org/plugins/health-check/UpdatePlugin
https://www.synacktiv.com/ressources/advisories/WordPress_Health_Check_1.2.3_Vulnerabilities.pdf
10
Health Check & Troubleshooting1.2.3 and earlier1.2.5health-checkAuthorization bypasshttps://wordpress.org/plugins/health-check/UpdatePlugin
https://www.synacktiv.com/ressources/advisories/WordPress_Health_Check_1.2.3_Vulnerabilities.pdf
11
Ad Manager by WD – Advanced Ad Manager1.0.12 and earlier1.0.13ad-manager-wdAuthenticated Arbitrary File Downloadhttps://wordpress.org/plugins/ad-manager-wd/UpdatePlugin
Only requires a role of subscriber or greater
https://packetstormsecurity.com/files/151371/wpamwd1011-disclose.txt
12
Ad Manager by WD – Advanced Ad Manager1.0.12 and earlier1.0.14ad-manager-wdAuthenticated Arbitrary File Deletionhttps://wordpress.org/plugins/ad-manager-wd/UpdatePlugin
Researcher doesn't indicate when vulnerabilty was introduced, assume all previous.
https://www.pluginvulnerabilities.com/2019/01/28/arbitrary-file-deletion-vulnerability-in-ad-manager-by-wd/
13
Events Made Easy2.1.1 and earlier, see notes2.1.2events-made-easyAuthenticated Arbitrary File Uploadhttps://wordpress.org/plugins/events-made-easy/Update ImmediatelyPlugin
Researcher doesn't indicate when vulnerabilty was introduced, assume all previous.
https://www.pluginvulnerabilities.com/2019/
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu