20190913 Vulnerable Plugins/Themes Reported spreadsheet
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
Name
Version(s) Affected
Fixed in VersionPlugin DirectoryVulnerability
Link/Plugin Status
Suggested Action
Plugin/ThemeOther NotesSource
2
Photo Gallery by 10Web – Mobile-Friendly Image Gallery<1.5.351.5.35photo-gallery
Cross-Site Scripting
https://wordpress.org/plugins/photo-gallery/
UpdatePlugin
Featured last week, weakness now confimed this week as cross-site scripting
https://vuldb.com/?id.141402
3
Photo Gallery by 10Web – Mobile-Friendly Image Gallery<1.5.341.5.35photo-gallerySQL injection
https://wordpress.org/plugins/photo-gallery/
UpdatePlugin
https://vuldb.com/?id.141403
4
Landing Pages by SwiftCloud1.1See Notes
swift-landing-page
Cross-Site Request Forgery
https://wordpress.org/plugins/swift-landing-page/
RemovePlugin
Featured last week, weakness now confimed as cross-site request forgery
https://www.pluginvulnerabilities.com/2019/09/06/vulnerability-details-cross-site-request-forgery-csrf-in-swift-landing-page/
5
Nexos - Real Estate Theme<1.61.6 (see notes)nexos-wp
Cross-Site Request Forgery leading to persistent cross-site scripting and SQL injection
https://themeforest.net/item/nexos-real-estate-agency-directory/21126242?gclid=EAIaIQobChMItOfD3fjN5AIVQbDtCh2fQwiuEAAYASAAEgIKPfD_BwE
UpdateTheme
Theme page says a security fix occurred in 1.6
https://cxsecurity.com/issue/WLB-2019090058 and https://www.phpsecure.info/go/170318.html
6
UserPro - Community and User Profile<= 4.9.324.9.33userpro
Reflected Cross-Site Scripting
https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
UpdatePlugin
Plugin page has now fix in it's changelog
https://cxsecurity.com/issue/WLB-2019090050
7
LifterLMS< 3.35.03.35.0lifterlms
Unauthenticated Options Import
https://wordpress.org/plugins/lifterlms/
UpdatePlugin
Nintechnet reports a fix in 3.35.0
https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-lifterlms-plugin/
8
Search Exclude<1.2.51.2.5search-exclude
Cross-Site Request Forgery
https://wordpress.org/plugins/search-exclude/
UpdatePlugin
Appeared last week but fix was not enough
https://www.pluginvulnerabilities.com/2019/09/09/nintechnet-and-wordpress-plugin-directory-team-fail-to-make-sure-vulnerability-in-search-exclude-was-actually-fixed/
9
Reality | Estate Multipurpose< 2.4.02.4.0reality
Persistent Cross-Site Scripting
https://themeforest.net/item/reality-real-estate-wordpress-theme/21627776
UpdateTheme
Changelog for theme reports a XSS fix in 2.4.0
https://cxsecurity.com/issue/WLB-2019090063
10
Qwizcards – online quizzes and flashcards<3.373.37
qwiz-online-quizzes-and-flashcards
Reflected Cross-Site Scripting
https://wordpress.org/plugins/qwiz-online-quizzes-and-flashcards/
UpdatePlugin
Changelog shows no security fix
https://exploit.kitploit.com/2019/09/wordpress-qwiz-online-quizzes-and.html
11
Sell Downloads<1.0.861.0.86sell-downloads
Cross-Site Scripting
https://wordpress.org/plugins/sell-downloads/
UpdatePlugin
https://exploit.kitploit.com/2019/09/wordpress-sell-downloads-1086-cross.html
12
Human Presence<= 2.0.8See Notes
ellipsis-human-presence-technology
Cross-Site Scripting
https://wordpress.org/plugins/ellipsis-human-presence-technology/
See NotesPlugin
Plugin closed in repository, changes are being made to it
https://packetstormsecurity.com/files/154393/wpellipsishpt208-xss.txt
13
Premium Addons for Elementor<3.7.13.7.1
premium-addons-for-elementor
Persistent Cross-Site Scripting
https://wordpress.org/plugins/premium-addons-for-elementor
UpdatePlugin
Plugin changelog mentions a fix in 3.7.1
https://www.pluginvulnerabilities.com/2019/09/10/hackers-may-already-be-targeting-this-authenticated-persistent-xss-vulnerability-in-premium-addons-for-elementor/
14
SlickQuiz<= 1.3.7.1See Notesslickquiz
Multiple SQL injections and Stored Cross-Site Scripting
https://wordpress.org/plugins/slickquiz/
RemovePlugin
Plugin closed in the repository and not updated in 5 years
https://seclists.org/bugtraq/2019/Sep/23 / https://wpvulndb.com/vulnerabilities/9878
15
Checklist
< 1.1.5 (see notes)
1.1.9 (see notes)
checklist
Reflected Cross-Site Scripting
https://wordpress.org/plugins/checklist/
UpdatePlugin
Discoverer reports a non-existent verion number
https://cxsecurity.com/issue/WLB-2019090081
16
Travelpayouts: Flights & Hotels Travel Search<0.7.110.7.12travelpayouts
Persistent Cross-Site Scripting
https://wordpress.org/plugins/travelpayouts/
Update Plugin
Changelog (https://wordpress.org/plugins/travelpayouts/#developers) reports two security fixes in the most recent two verions
https://www.pluginvulnerabilities.com/2019/09/11/persistent-cross-site-scripting-xss-vulnerability-in-travelpayouts/
17
Prevent files / folders access1.1.1See Notes
prevent-file-access
Cross-Site Request Forgery leading to arbitrary file deletion
https://wordpress.org/plugins/prevent-file-access/
Remove (see notes)
Plugin
Plugin is brand new, so hard to tell if 2 days is the first commit or a fix.
https://www.pluginvulnerabilities.com/2019/09/11/what-security-review-brand-new-wordpress-plugin-contains-csrf-arbitrary-file-deletion-vulnerability/
18
Easy!AppointmentsSee NotesSee Notes
Easy!Appointments
Credentials Disclosure
https://wordpress.org/plugins/Easy!Appointments/#developers
Update Plugin
Version number reported by discoverer isn't a version in the changelog
https://vuldb.com/?id.141657
19
SagePay Server Gateway for WooCommerceSee NotesSee Notes
sagepay-server-gateway-for-woocommerce
Reflected Cross-Site Scripting
https://wordpress.org/plugins/sagepay-server-gateway-for-woocommerce/
See NotesPlugin
Changelog (https://wordpress.org/plugins/sagepay-server-gateway-for-woocommerce/#developers) has confusin version numbers. 1.0.2 appears twice, and maybe the most recent version, and one of the 1.0.2's reports a security fix
https://www.pluginvulnerabilities.com/2019/09/12/vulnerability-details-reflected-cross-site-scripting-xss-in-sagepay-server-gateway-for-woocommerce/
20
Premium Blocks for Gutenberg<1.7.51.7.5
premium-blocks-for-gutenberg
Multiple
https://wordpress.org/plugins/premium-blocks-for-gutenberg/
Update Plugin
Changelog has 1.7.5 as a security fix
https://www.pluginvulnerabilities.com/2019/09/12/vulnerability-details-multiple-in-premium-blocks-for-gutenberg/
21
Slimstat Analytics<4.8.7.24.8.7.2wp-slimstat
Reflected Cross-Site Scripting
https://wordpress.org/plugins/wp-slimstat/
Update Plugin
Nothing in changelog (https://en-gb.wordpress.org/plugins/wp-slimstat/#developers) re security fixes
https://www.pluginvulnerabilities.com/2019/09/12/vulnerability-details-reflected-cross-site-scripting-xss-in-slimstat-analytics/
22
VOD Infomaniak<1.4.21.4.2vod-infomaniakSee notes
https://wordpress.org/plugins/vod-infomaniak/
Update Plugin
Trac commits show sanitisation and possible editing of others' posts
https://plugins.trac.wordpress.org/changeset/2154540
23
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
< 6.2.106.2.10
wc-frontend-manager
See notes
https://wordpress.org/plugins/wc-frontend-manager/
Update Plugin
Trac commits show extensive use of wc_clean, a woo commerce sanitisation function
https://plugins.trac.wordpress.org/changeset/2153814
24
WP FOFT Loader< 1.0.401.0.40wp-foft-loader
Cross-Site Scripting
https://wordpress.org/plugins/wp-foft-loader/
Update Plugin
Trac commit mentions an XSS
https://plugins.trac.wordpress.org/changeset/2153085
25
WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels< 2.5.42.5.4
print-invoices-packing-slip-labels-for-woocommerce
See Notes
https://wordpress.org/plugins/print-invoices-packing-slip-labels-for-woocommerce/
Update Plugin
Trac commits show lots of sanitisation
https://plugins.trac.wordpress.org/changeset/2153319
26
Project Supremacy V3 Lite<1.2.0See Notes
project-supremacy
See Notes
https://wordpress.org/plugins/project-supremacy/
Remove (see notes)
Plugin
Trac commits have some sanitisation in the javascript. Plugin is currently closed, but is being worked on
https://plugins.trac.wordpress.org/changeset/2154167
27
Memphis Documents Library<3.10See Notes
memphis-documents-library
See Notes
https://wordpress.org/plugins/memphis-documents-library/
Update Plugin
Trac commits show capability checks suggesting file uploads ad more
https://plugins.trac.wordpress.org/changeset/2156167
28
Social Reviews & Recommendations<1.6See Notes
fb-reviews-widget
See Notes
https://wordpress.org/plugins/fb-reviews-widget/
Update Plugin
Trac commits show sanitisation
https://plugins.trac.wordpress.org/changeset/2153159
29
Post SMTP Mailer/Email Log2.0.4See Notespost-smtpSee Notes
https://wordpress.org/plugins/post-smtp/
Update Plugin
Trac commits show sanitisation
https://plugins.trac.wordpress.org/changeset/2156100
30
FileBird – WordPress Media Library FoldersSee NotesSee Notesfilebird
Cross-Site Scripting
https://wordpress.org/plugins/filebird/
See NotesPlugin
Discoverer has just reported the vulnerability, and does so in a way with a proof of concept. So this is effectively a live vulnerability and it is likely the plugin will be closed
https://www.pluginvulnerabilities.com/2019/09/13/hackers-may-already-be-targeting-this-authenticated-persistent-xss-vulnerability-in-filebird-lite/
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...