20170630 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
WP Statistics12.0.7 and earlier12.0.8wp-statisticsSQL Injectionhttps://wordpress.org/plugins/wp-statistics/UpdatePlugin
https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.html
3
FormCraft 1.0.5 and earlierunfixedformcraft-form-builderMultiple SQL Injectionhttps://wordpress.org/plugins/formcraft-form-builder/RemovePlugin
PacketStorm mentions the directory being 'formcraft'. SQL injection is definitely in the repository version and might also be in the paid version. Paid version directory appears to be 'formcraft3'
https://packetstormsecurity.com/files/143116/wpformcraft105-sql.txt
4
Newsletters4.6.6.2 and earlierunfixednewsletters-liteCross-Site Request Forgery + Arbitrary File Uploadhttps://wordpress.org/plugins/newsletters-lite/RemovePlugin
The two vulnerabilities need to be combined
https://www.pluginvulnerabilities.com/2017/06/26/cross-site-request-forgery-csrfarbitrary-file-upload-vulnerability-in-newsletters/
5
UpiCRM2.1.8.5 and earlierunfixedupi-crm-universal-crm-solutionInformation Disclosurehttps://wordpress.org/plugins/upi-crm-universal-crm-solution/RemovePlugin
alternatively, you could limit access to the upload directory and all child directories except for whitelist of file types
https://www.pluginvulnerabilities.com/2017/06/26/information-disclosure-vulnerability-in-upicrm/
6
Ultimate Product Catalog4.2.2 and earlier4.2.3ultimate-product-catalogSQL Injectionhttps://wordpress.org/plugins/ultimate-product-catalog/UpdatePlugin
https://packetstormsecurity.com/files/143158/wpupc422-sql.txt
7
Salon Booking System3.14 and earlierunfixedsalon-booking-system
Cross-Site Request Forgery + Unauthorized Settings Change
https://wordpress.org/plugins/salon-booking-system/RemovePlugin
https://www.pluginvulnerabilities.com/2017/06/27/cross-site-request-forgery-csrfsettings-change-vulnerability-in-salon-booking-system/
8
Postman SMTP1.7.2 and earlierunfixedpostman-smtpCross-Site Scriptinghttps://wordpress.org/plugins/postman-smtp/RemovePlugin
https://www.pluginvulnerabilities.com/2017/06/29/reflected-cross-site-scripting-xss-vulnerability-in-postman-smtp/
9
Brute Force Login Protection1.5.2 and earlier1.5.3brute-force-login-protectionCross-Site Scriptinghttps://wordpress.org/plugins/brute-force-login-protection/UpdatePlugin
https://www.pluginvulnerabilities.com/2017/06/29/reflected-cross-site-scripting-xss-vulnerability-in-brute-force-login-protection/
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...