20190726 Vulnerable Plugins/Themes Reportled spreadsheet

	A	B	C	D	E	F	G	H	I	J
1	Name	Version(s) Affected	Fixed in Version	Plugin Directory	Vulnerability	Link/Plugin Status	Suggested Action	Plugin/Theme	Other Notes	Source

2	Real Estate 7	<=2.8.9	2.9.0	realestate-7	Persistent Cross-Site Scripting	https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778	Update	Theme		https://cxsecurity.com/issue/WLB-2019070114
3	ND Shortcodes For Visual Composer	<=5.9		nd-shortcodes	Option Update	https://wordpress.org/plugins/nd-shortcodes/	Remove	Plugin	Discover doesn't reveal version affected assume all	https://www.pluginvulnerabilities.com/2019/07/25/vulnerability-details-option-update-in-nd-shortcodes-nd-shortcodes-for-visual-composer/
4	WP Super Cache	<=1.6.8	1.6.9	wp-super-cache	Persistent Cross-Site Scripting	https://wordpress.org/plugins/wp-super-cache/	Update	Plugin	Discover doesn't reveal version affected assume all	https://www.pluginvulnerabilities.com/2019/07/25/vulnerability-details-persistent-cross-site-scripting-xss-in-wp-super-cache/
5	Custom Simple RSS	<2.0.7	2.0.7	custom-simple-rss	Cross-site Request Forgery leading to settings change	https://wordpress.org/plugins/custom-simple-rss/	Update	Plugin	Discover doesn't reveal version affected assume all	https://www.pluginvulnerabilities.com/2019/07/24/vulnerability-details-cross-site-request-forgery-csrf-settings-change-in-custom-simple-rss/
6	Contact Form 7 Dynamic Text Extension	<=2.0.21	2.0.3	contact-form-7-dynamic-text-extension	Reflected Cross-Site Scripting	https://wordpress.org/plugins/contact-form-7-dynamic-text-extension/	Update	Plugin	Discover doesn't reveal version affected assume all, developer states all below 2.0.21	https://www.pluginvulnerabilities.com/2019/07/24/reflected-cross-site-scripting-xss-vulnerability-in-contact-form-7-dynamic-text-extension/
7	WP Fastest Cache	<0.8.9.6	0.8.9.6	wp-fastest-cache	Directory Traversal	https://wordpress.org/plugins/wp-fastest-cache/	Update	Plugin	Discover doesn't reveal version affected assume all	https://plugins.trac.wordpress.org/changeset/2124619
8	Peter's Login Redirect	< 2.9.2	2.9.2	peters-login-redirect/	Multiple Cross-Site Request Forgeries	https://wordpress.org/plugins/peters-login-redirect/	Update	Plugin	Discover doesn't reveal version affected assume all	https://wpvulndb.com/vulnerabilities/9474
9	Email Subscribers & Newsletters	<4.1.8	4.1.8	email-subscribers	SQL Injection	https://wordpress.org/plugins/email-subscribers/	Update	Plugin	Discover doesn't reveal version affected assume all	https://vuldb.com/?id.138382
10	WP Code Highlight.js	<= 0.6.3		wp-code-highlightjs	Cross-site scripting	https://wordpress.org/plugins/wp-code-highlightjs/	Remove	Plugin		https://www.systemtek.co.uk/2019/07/wp-code-highlightjs-wordpress-plugin-vulnerability-cve-2019-12934/
11	Adaptive Images for WordPress	<0.6.67	0.6.67	adaptive-images	Local File Inclusion	https://wordpress.org/plugins/adaptive-images/#developers	Update	Plugin	Discover doesn't reveal version affected assume all. Change log only describes one fix, assumed to have fixed both issues	https://vuldb.com/?id.138392
12	Adaptive Images for WordPress	<0.6.67	0.6.67	adaptive-images	Directory Traversal	https://wordpress.org/plugins/adaptive-images/#developers	Update	Plugin	Discover doesn't reveal version affected assume all. Change log only describes one fix, assumed to have fixed both issues	https://vuldb.com/?id.138393
13	Viral Quiz Maker - OnionBuzz	<=1.2.6	1.2.7		SQL injection	https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001	See Notes	Plugin	Discover doesn't reveal version affected assume all.Something specific in the change log for this fix, but not issue below (https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001_	https://vuldb.com/?id.138403
14	Viral Quiz Maker - OnionBuzz	<=1.2.1	see notes		SQL injection	https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001	See Notes	Plugin	Discover doesn't reveal version affected assume all. Nothing specific in the change log for this fix (https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001_	https://vuldb.com/?id.138404
15	WP SVG Icons	<= 3.2.2		svg-vector-icon-plugin	Cross-Site Request Forgery leading to a file upload	https://wordpress.org/plugins/svg-vector-icon-plugin/	Remove (see notes)	Plugin	Changelog is hidden - https://en-gb.wordpress.org/plugins/svg-vector-icon-plugin/#developers - but a recent change has been made which may be a fix	https://www.pluginvulnerabilities.com/2019/07/22/vulnerability-details-cross-site-request-forgery-csrf-arbitrary-file-upload-in-wp-svg-icons/
16	Breeze	<1.0.11	1.0.11	breeze	Open Redirect	https://wordpress.org/plugins/breeze/	Update	Plugin		https://www.pluginvulnerabilities.com/2019/07/22/our-plugin-security-checker-caught-an-authenticated-open-redirect-vulnerability-in-breeze/
17	WPS Hide Login	<1.5.3	1.5.3	wps-hide-login	Multiple, see notes	https://wordpress.org/plugins/wps-hide-login/	Update	Plugin	Protection bypass, parameter passing and path disclosure	https://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/
18	Simple Membership	<3.8.5	3.8.5	simple-membership	Cross-site request forgery	https://wordpress.org/plugins/simple-membership	Update	Plugin	Discover doesn't reveal version affected assume all	https://www.pluginvulnerabilities.com/2019/07/23/vulnerability-details-cross-site-request-forgery-csrf-in-simple-wordpress-membership-simple-membership/
19	GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership	<1.4.13	1.4.13	gourl-bitcoin-payment-gateway-paid-downloads-membership	Unauthorised Privilege Escalation	https://wordpress.org/plugins/gourl-bitcoin-payment-gateway-paid-downloads-membership/	Update	Plugin	Discover doesn't reveal version affected assume all. There is nothing in the changelog about this - https://wordpress.org/plugins/gourl-bitcoin-payment-gateway-paid-downloads-membership/#developers	https://vuldb.com/?id.138469
20	Yes-co ORES	<1.3.45		yes-co-ores-wordpress-plugin	Authenticated Persistent Cross-Site scripting	https://wordpress.org/plugins/yes-co-ores-wordpress-plugin/	Remove (see notes)	Plugin	Changelog is hidden - https://en-gb.wordpress.org/plugins/svg-vector-icon-plugin/#developers - but a recent change has been made which may be a fix	https://www.pluginvulnerabilities.com/2019/07/23/our-proactive-monitoring-caught-an-authenticated-persistent-cross-site-scripting-xss-vulnerability-in-yes-co-ores/
21	WooCommerce Product Feed	<3.1.16	3.1.16	webappick-product-feed-for-woocommerce	Reflected Cross-Site Scripting	https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/	Update	Plugin		https://www.pluginvulnerabilities.com/2019/07/23/vulnerabilty-details-reflected-cross-site-scripting-xss-in-woocommerce-product-feed/
22	Taxonomy Converter	<1.2	1.2	taxonomy-converter	See Notes	https://wordpress.org/plugins/taxonomy-converter/	Update	Plugin	Possible Cross-SIte Scripting	https://plugins.trac.wordpress.org/changeset/2128822
23	WCFM – WooCommerce Frontend Manager for WC Vendors Dokan with Bookings & Listings	<6.2.4	6.2.4	wc-frontend-manager	See Notes	https://wordpress.org/plugins/wc-frontend-manager/	Update	Plugin	Possible Cross-SIte Scripting	https://plugins.trac.wordpress.org/changeset/2127468
24	WC Peach Payments Gateway	<1.3.4	1.3.4	wc-peach-payments-gateway	See Notes	https://wordpress.org/plugins/wc-peach-payments-gateway/	Update	Plugin	No change log available to check - Possible Cross-SIte Scripting	https://plugins.trac.wordpress.org/changeset/2126650
25	WCFM Marketplace – WooCommerce Multivendor Marketplace	<3.1.5	3.1.5	wc-multivendor-marketplace	See Notes	https://wordpress.org/plugins/wc-multivendor-marketplace/	Update	Plugin	Lots of sanitisation in the new commits - Possible SQL injection / Cross Site Scripting	https://plugins.trac.wordpress.org/changeset/2127471
26	rtMedia for WordPress, BuddyPress and bbPress	<4.5.7	4.5.7	buddypress-media	File Upload, see notes	https://wordpress.org/plugins/buddypress-media/	Update	Plugin	https://plugins.trac.wordpress.org/changeset/2104741 only obvious change re permissions for users is an is_admin on a deletion, so possible file deletion	https://www.pluginvulnerabilities.com/2019/07/26/vulnerability-details-restricted-file-upload-in-rtmedia-for-wordpress-buddypress-and-bbpress/
27	Widget for Facebook Page Feeds	<5.0		facebook-pagelike-widget	Authenticated Persistent Cross-Site scripting	https://wordpress.org/plugins/facebook-pagelike-widget/	Remove (see notes)	Plugin	Closed yesterday, no commits since, assume not being worked on and remove	https://www.pluginvulnerabilities.com/2019/07/26/authenticated-persistent-cross-site-scripting-xss-vulnerability-in-facebook-widget-widget-for-facebook-page-feeds/
28	Contact Form & SMTP Plugin for WordPress by PirateForms	<2.5.2	2.5.2	pirate-forms	HTML Injection	https://wordpress.org/plugins/pirate-forms/	Update	Plugin		https://blog.nintechnet.com/html-injection-vulnerability-in-wordpress-pirate-forms-plugin/
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100