20181019 Vulnerable Plugins/Themes Report

	A	B	C	D	E	F	G	H	I	J
1	Name	Version(s) Affected	Fixed in Version	Plugin Directory	Vulnerability	Link/Plugin Status	Suggested Action	Plugin/Theme	Other Notes	Source

2	WooCommerce	3.4.5 and earlier	3.4.6	woocommerce	Authenticated Code Injection	https://wordpress.org/plugins/woocommerce/	Update	Plugin		https://wpvulndb.com/vulnerabilities/9137
3	Tajer	unsure, see notes	unfixed	tajer	Stored Cross-Site Scripting	https://wordpress.org/plugins/tajer/	Remove	Plugin	Plugin closed	http://www.vapidlabs.com/advisory.php?v=205
4	WordFence	7.1.12 and earlier, see notes	7.1.14	wordfence	Username Enumeration Prevention Bypass	https://wordpress.org/plugins/wordfence/	Update	Plugin		https://packetstormsecurity.com/files/149845/waraxe-2010-SA109.txt
5	WordFence	7.1.12 and earlier, see notes	7.1.14	wordfence	Multiple Cross-Site Scripting	https://wordpress.org/plugins/wordfence/	Update	Plugin		https://packetstormsecurity.com/files/149845/waraxe-2010-SA109.txt
6	WordFence	7.1.12 and earlier, see notes	7.1.14	wordfence	Path Disclosure	https://wordpress.org/plugins/wordfence/	Update	Plugin		https://packetstormsecurity.com/files/149845/waraxe-2010-SA109.txt
7	csv2wpec-coupon	all	unfixed	csv2wpec-coupon	File Upload	https://wordpress.org/plugins/csv2wpec-coupon/	Remove Immediately	Plugin		http://www.vapidlabs.com/advisory.php?v=153
8	WP Fastest Cache	0.8.8.5 and earlier	.8.8.6	wp-fastest-cache	Cross-Site Scripting	https://wordpress.org/plugins/wp-fastest-cache/	Update	Plugin		https://wordpress.org/plugins/wp-fastest-cache/#developers changelog and https://www.pluginvulnerabilities.com/2018/10/09/vulnerability-details-csrf-xss-vulnerability-in-wp-fastest-cache/
9	Sitepress Multilingual CMS	3.6.3 and earlier	4.0	sitepress-multilingual-cms	Stored Cross-Site Scripting	https://wpml.org/	Update	Plugin		https://seclists.org/bugtraq/2018/Oct/24
10	WP DSGVO Tools	all, see notes	unfixed	shapepress-dsgvo	Object Injection	https://wordpress.org/plugins/shapepress-dsgvo/	Remove	Plugin	Researcher doesn't indicate when the vulnerability was introduced. Quick looks shows it's in at least the last two releases. Assume all.	https://www.pluginvulnerabilities.com/2018/10/05/the-continued-inappropriate-behavior-of-wordpress-has-lead-to-this-disclosure-of-an-exploitable-vulnerability-in-a-plugin-with-30000-active-installs/
11	VendorFuel	1.3.0 and earlier	1.3.1	vendorfuel	Restricted File Upload	https://wordpress.org/plugins/vendorfuel/	Update	Plugin		https://www.pluginvulnerabilities.com/2018/10/04/our-proactive-monitoring-caught-a-restricted-file-upload-vulnerability-in-vendorfuel/
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100