20190726 Vulnerable Plugins/Themes Reportled spreadsheet
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
Name
Version(s) Affected
Fixed in VersionPlugin DirectoryVulnerability
Link/Plugin Status
Suggested Action
Plugin/ThemeOther NotesSource
2
Real Estate 7<=2.8.92.9.0realestate-7
Persistent Cross-Site Scripting
https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
UpdateTheme
https://cxsecurity.com/issue/WLB-2019070114
3
ND Shortcodes For Visual Composer<=5.9nd-shortcodesOption Update
https://wordpress.org/plugins/nd-shortcodes/
RemovePlugin
Discover doesn't reveal version affected assume all
https://www.pluginvulnerabilities.com/2019/07/25/vulnerability-details-option-update-in-nd-shortcodes-nd-shortcodes-for-visual-composer/
4
WP Super Cache<=1.6.81.6.9
wp-super-cache
Persistent Cross-Site Scripting
https://wordpress.org/plugins/wp-super-cache/
UpdatePlugin
Discover doesn't reveal version affected assume all
https://www.pluginvulnerabilities.com/2019/07/25/vulnerability-details-persistent-cross-site-scripting-xss-in-wp-super-cache/
5
Custom Simple RSS<2.0.72.0.7
custom-simple-rss
Cross-site Request Forgery leading to settings change
https://wordpress.org/plugins/custom-simple-rss/
UpdatePlugin
Discover doesn't reveal version affected assume all
https://www.pluginvulnerabilities.com/2019/07/24/vulnerability-details-cross-site-request-forgery-csrf-settings-change-in-custom-simple-rss/
6
Contact Form 7 Dynamic Text Extension<=2.0.212.0.3
contact-form-7-dynamic-text-extension
Reflected Cross-Site Scripting
https://wordpress.org/plugins/contact-form-7-dynamic-text-extension/
UpdatePlugin
Discover doesn't reveal version affected assume all, developer states all below 2.0.21
https://www.pluginvulnerabilities.com/2019/07/24/reflected-cross-site-scripting-xss-vulnerability-in-contact-form-7-dynamic-text-extension/
7
WP Fastest Cache<0.8.9.60.8.9.6
wp-fastest-cache
Directory Traversal
https://wordpress.org/plugins/wp-fastest-cache/
UpdatePlugin
Discover doesn't reveal version affected assume all
https://plugins.trac.wordpress.org/changeset/2124619
8
Peter's Login Redirect< 2.9.22.9.2
peters-login-redirect/
Multiple Cross-Site Request Forgeries
https://wordpress.org/plugins/peters-login-redirect/
UpdatePlugin
Discover doesn't reveal version affected assume all
https://wpvulndb.com/vulnerabilities/9474
9
Email Subscribers & Newsletters<4.1.84.1.8
email-subscribers
SQL Injection
https://wordpress.org/plugins/email-subscribers/
UpdatePlugin
Discover doesn't reveal version affected assume all
https://vuldb.com/?id.138382
10
WP Code Highlight.js<= 0.6.3
wp-code-highlightjs
Cross-site scripting
https://wordpress.org/plugins/wp-code-highlightjs/
RemovePlugin
https://www.systemtek.co.uk/2019/07/wp-code-highlightjs-wordpress-plugin-vulnerability-cve-2019-12934/
11
Adaptive Images for WordPress<0.6.670.6.67
adaptive-images
Local File Inclusion
https://wordpress.org/plugins/adaptive-images/#developers
UpdatePlugin
Discover doesn't reveal version affected assume all. Change log only describes one fix, assumed to have fixed both issues
https://vuldb.com/?id.138392
12
Adaptive Images for WordPress<0.6.670.6.67
adaptive-images
Directory Traversal
https://wordpress.org/plugins/adaptive-images/#developers
UpdatePlugin
Discover doesn't reveal version affected assume all. Change log only describes one fix, assumed to have fixed both issues
https://vuldb.com/?id.138393
13
Viral Quiz Maker - OnionBuzz<=1.2.61.2.7SQL injection
https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001
See NotesPlugin
Discover doesn't reveal version affected assume all.Something specific in the change log for this fix, but not issue below (https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001_
https://vuldb.com/?id.138403
14
Viral Quiz Maker - OnionBuzz<=1.2.1see notesSQL injection
https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001
See NotesPlugin
Discover doesn't reveal version affected assume all. Nothing specific in the change log for this fix (https://codecanyon.net/item/viral-quiz-maker-onionbuzz-for-wordpress/20021001_
https://vuldb.com/?id.138404
15
WP SVG Icons<= 3.2.2
svg-vector-icon-plugin
Cross-Site Request Forgery leading to a file upload
https://wordpress.org/plugins/svg-vector-icon-plugin/
Remove (see notes)
Plugin
Changelog is hidden - https://en-gb.wordpress.org/plugins/svg-vector-icon-plugin/#developers - but a recent change has been made which may be a fix
https://www.pluginvulnerabilities.com/2019/07/22/vulnerability-details-cross-site-request-forgery-csrf-arbitrary-file-upload-in-wp-svg-icons/
16
Breeze<1.0.111.0.11breezeOpen Redirect
https://wordpress.org/plugins/breeze/
UpdatePlugin
https://www.pluginvulnerabilities.com/2019/07/22/our-plugin-security-checker-caught-an-authenticated-open-redirect-vulnerability-in-breeze/
17
WPS Hide Login<1.5.31.5.3wps-hide-login
Multiple, see notes
https://wordpress.org/plugins/wps-hide-login/
UpdatePlugin
Protection bypass, parameter passing and path disclosure
https://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/
18
Simple Membership<3.8.53.8.5
simple-membership
Cross-site request forgery
https://wordpress.org/plugins/simple-membership
UpdatePlugin
Discover doesn't reveal version affected assume all
https://www.pluginvulnerabilities.com/2019/07/23/vulnerability-details-cross-site-request-forgery-csrf-in-simple-wordpress-membership-simple-membership/
19
GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership<1.4.131.4.13
gourl-bitcoin-payment-gateway-paid-downloads-membership
Unauthorised Privilege Escalation
https://wordpress.org/plugins/gourl-bitcoin-payment-gateway-paid-downloads-membership/
UpdatePlugin
Discover doesn't reveal version affected assume all. There is nothing in the changelog about this - https://wordpress.org/plugins/gourl-bitcoin-payment-gateway-paid-downloads-membership/#developers
https://vuldb.com/?id.138469
20
Yes-co ORES<1.3.45
yes-co-ores-wordpress-plugin
Authenticated Persistent Cross-Site scripting
https://wordpress.org/plugins/yes-co-ores-wordpress-plugin/
Remove (see notes)
Plugin
Changelog is hidden - https://en-gb.wordpress.org/plugins/svg-vector-icon-plugin/#developers - but a recent change has been made which may be a fix
https://www.pluginvulnerabilities.com/2019/07/23/our-proactive-monitoring-caught-an-authenticated-persistent-cross-site-scripting-xss-vulnerability-in-yes-co-ores/
21
WooCommerce Product Feed<3.1.163.1.16
webappick-product-feed-for-woocommerce
Reflected Cross-Site Scripting
https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/
UpdatePlugin
https://www.pluginvulnerabilities.com/2019/07/23/vulnerabilty-details-reflected-cross-site-scripting-xss-in-woocommerce-product-feed/
22
Taxonomy Converter<1.21.2
taxonomy-converter
See Notes
https://wordpress.org/plugins/taxonomy-converter/
UpdatePlugin
Possible Cross-SIte Scripting
https://plugins.trac.wordpress.org/changeset/2128822
23
WCFM – WooCommerce Frontend Manager for WC Vendors Dokan with Bookings & Listings
<6.2.46.2.4
wc-frontend-manager
See Notes
https://wordpress.org/plugins/wc-frontend-manager/
UpdatePlugin
Possible Cross-SIte Scripting
https://plugins.trac.wordpress.org/changeset/2127468
24
WC Peach Payments Gateway<1.3.41.3.4
wc-peach-payments-gateway
See Notes
https://wordpress.org/plugins/wc-peach-payments-gateway/
UpdatePlugin
No change log available to check - Possible Cross-SIte Scripting
https://plugins.trac.wordpress.org/changeset/2126650
25
WCFM Marketplace – WooCommerce Multivendor Marketplace<3.1.53.1.5
wc-multivendor-marketplace
See Notes
https://wordpress.org/plugins/wc-multivendor-marketplace/
UpdatePlugin
Lots of sanitisation in the new commits - Possible SQL injection / Cross Site Scripting
https://plugins.trac.wordpress.org/changeset/2127471
26
rtMedia for WordPress, BuddyPress and bbPress<4.5.74.5.7
buddypress-media
File Upload, see notes
https://wordpress.org/plugins/buddypress-media/
UpdatePlugin
https://plugins.trac.wordpress.org/changeset/2104741 only obvious change re permissions for users is an is_admin on a deletion, so possible file deletion
https://www.pluginvulnerabilities.com/2019/07/26/vulnerability-details-restricted-file-upload-in-rtmedia-for-wordpress-buddypress-and-bbpress/
27
Widget for Facebook Page Feeds<5.0
facebook-pagelike-widget
Authenticated Persistent Cross-Site scripting
https://wordpress.org/plugins/facebook-pagelike-widget/
Remove (see notes)
Plugin
Closed yesterday, no commits since, assume not being worked on and remove
https://www.pluginvulnerabilities.com/2019/07/26/authenticated-persistent-cross-site-scripting-xss-vulnerability-in-facebook-widget-widget-for-facebook-page-feeds/
28
Contact Form & SMTP Plugin for WordPress by PirateForms<2.5.22.5.2pirate-formsHTML Injection
https://wordpress.org/plugins/pirate-forms/
UpdatePlugin
https://blog.nintechnet.com/html-injection-vulnerability-in-wordpress-pirate-forms-plugin/
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...