20181221 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
W3 Total Cacheall, see notesunfixedw3-total-cacheCross-Site Scriptinghttps://wordpress.org/plugins/w3-total-cache/
Disable Google Analytics in plugin, see notes
Plugin
Researcher does not indicate when vulnerability was introduced. Assume all. Target site must have the Google Analytics functionality of W3 Total Cache enabled.
https://www.ripstech.com/php-security-calendar-2018/ day 15
3
WooCommerce combined with WordPress Importer
all, see notesunfixedwoocommerceObject Injectionhttps://wordpress.org/plugins/woocommerce/Use with caution, see notesPlugin
Researcher does not indicate when vulnerability was introduced. Assume all. Requires attacker to have control of an account with Shop manager role.
https://www.ripstech.com/php-security-calendar-2018/ day 16
4
Contact Form 75.0.3 and earlier5.0.4contact-form-7Arbitrary File Downloadhttps://wordpress.org/plugins/contact-form-7/UpdatePlugin
Requires attacker be in control of an account with Author role or greater. Vulnerablity is no longer expoitable as of v5.0.1 of WordPress, but remains in prior versions.
https://www.ripstech.com/php-security-calendar-2018/ day 18
5
Regenerate Thumbnailsall, see notesunfixedregenerate-thumbnailsArbitrary File Deletion to site takeoverhttps://wordpress.org/plugins/regenerate-thumbnails/Update to 5.0.1 or removePlugin
Researcher does not indicate when vulnerability was introduced. Assume all. Requires attacker to have control of an account with Shop manager role.
https://www.ripstech.com/php-security-calendar-2018/ day 19
6
WooCommerceall, see notesunfixedwoocommerceRemote Code Executionhttps://wordpress.org/plugins/woocommerce/Use with caution, see notesPlugin
Researcher does not indicate when vulnerability was introduced. Assume all. Requires attacker to have control of an account with Shop manager role. This is a bypass for the fix WooCommerce put in place to patch the RCE vulnerability from two weeks ago
https://www.ripstech.com/php-security-calendar-2018/ day 20
7
WP Fastest Cache0.8.7.40.8.7.5wp-fastest-cacheSQL Injectionhttps://wordpress.org/plugins/wp-fastest-cache/UpdatePlugin
https://www.ripstech.com/php-security-calendar-2018/ day 21
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu