20190510 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
Print My Blog<=1.6.51.6.6print-my-blogUnauthenticated Server Side Request Forgeryhttps://wordpress.org/plugins/print-my-blog/UpdatePlugin
http://dumpco.re/bugs/wp-plugin-print-my-blog-ssrf via https://wpvulndb.com/vulnerabilities/9263
3
Polldeep1.2 (possibly before)1.3polldeepArbitrary File Uploadhttps://wordpress.org/plugins/polldeep/Update ImmediatelyPlugin
vulnerable file was removed at version 1.3
https://www.pluginvulnerabilities.com/2019/04/29/our-proactive-monitoring-caught-an-authenticated-arbitrary-file-upload-vulnerability-in-polldeep/
4
KingComposer2.8.12.8.2kingcomposerAuthenticated Stored Cross-Site Scriptinghttps://wordpress.org/plugins/kingcomposer/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9265
5
User Submitted Posts< 2019042620190501user-submitted-postsArbitrary File Uploadhttps://wordpress.org/plugins/user-submitted-posts/Update ImmediatelyPlugin
https://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-user-submitted-posts-plugin/
6
Advanced Woo Search<=1.6.81.7.0advanced-woo-searchCross-Site Request Forgery + unknown, see noteshttps://wordpress.org/plugins/advanced-woo-search/UpdatePlugin
Changelog for 1.6.9 and 1.7.0 state Dev – Update security checks , Update nonce check
https://wordpress.org/plugins/advanced-woo-search/#developers
7
Shortlinks by Pretty Links2.1.82.1.9pretty-linkUnknown, see noteshttps://wordpress.org/plugins/pretty-link/UpdatePlugin
Changelog states "Fixed some security issues"
https://wordpress.org/plugins/pretty-link/#developers
8
Blog Designerall, see notes
unfixed, see notes
blog-designerAuthenticated Stored Cross-Site Scriptinghttps://wordpress.org/plugins/blog-designer/RemovePlugin
"Researcher" doesn't state when the vulnerability was introduced to the code base. Assume all previous versions. The author of the plugin has tried to fix the issues, but still hasn't added a capability check on the user submitting the data, nor any sanitation of the data being submitted. Currently checks for a presence of a valid nonce, but no capabilities checks. Leaving this as "unfixed"
https://www.pluginvulnerabilities.com/2019/04/30/wordpress-paints-a-target-on-exploitable-settings-change-vulnerability-that-permits-persistent-xss-in-blog-designer/
9
Master Popups Light1.0.1 and earlier1.0.2master-popups-lightRemote Code Executionhttps://wordpress.org/plugins/master-popups-light/UpdatePlugin
1.0.2 adds capability checks for manage options
https://www.pluginvulnerabilities.com/2019/05/06/our-proactive-monitoring-caught-an-authenticated-remote-code-execution-rce-vulnerability-in-the-new-plugin-master-popups-lite/
10
W3 Total Cache<=0.9.7.30.9.7.4w3-total-cacheCross-Site Scriptinghttps://wordpress.org/plugins/w3-total-cache/Update ImmediatelyPlugin
https://wpvulndb.com/vulnerabilities/9269
11
W3 Total Cache<=0.9.7.40.9.7.5w3-total-cache
Server-Side Request Forgery / Remote Code Execution via phar
https://wordpress.org/plugins/w3-total-cache/Update ImmediatelyPlugin
https://wpvulndb.com/vulnerabilities/9270
12
W3 Total Cache<=0.9.7.50.9.7.6w3-total-cacheCryptographic Signature Bypasshttps://wordpress.org/plugins/w3-total-cache/Update ImmediatelyPlugin
https://wpvulndb.com/vulnerabilities/9271
13
All-In-One Event Calendar<=2.5.3.82.5.39all-in-one-event-calendarCross-Site Scripting, see noteshttps://wordpress.org/plugins/all-in-one-event-calendar/UpdatePlugin
Changelog states "Fixxed XSS Security vulnerability"
https://wordpress.org/plugins/all-in-one-event-calendar/#developers
14
My Calendar<=3.1.93.1.10my-calendarCross-Site Scriptinghttps://wordpress.org/plugins/my-calendar/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9267
15
WP Live Chat Support Pro<=8.0.11
unknown, see notes
wp_live_chatArbitrary File Uploadhttps://wp-livechat.com/Update ImmediatelyPlugin
From the source, this is for the Pro version of the plugin, as the version numbers don't match up with the timeline. Can't find the specific version number where the fix was introduced.
https://blog.alertlogic.com/alert-logic-uncovers-new-vulnerability-in-wordpress-wp-live-chat-cve-2019-11185/
16
WP Meta and Date Remover<=1.61.7.5wp-meta-and-date-removerStored Cross-Site Scripting via Cross-Site Request Forgeryhttps://wordpress.org/plugins/wp-meta-and-date-remover/UpdatePlugin
https://blog.sucuri.net/2019/05/persistent-xss-via-csrf-in-wp-meta-and-date-remover.html
17
Custom Field Suite<2.5.142.5.15custom-field-suiteAuthenticated Cross-Site Scriptinghttps://wordpress.org/plugins/custom-field-suite/UpdatePlugin
https://wpvulndb.com/vulnerabilities/9273
18
Ninja Forms File Uploads Extension<=3.0.223.0.23ninja-forms-uploadsArbitrary File Uploadhttps://wordpress.org/plugins/ninja-forms-uploads/Update ImmediatelyPlugin
https://www.onvio.nl/nieuws/ninjaforms-vulnerability via https://wpvulndb.com/vulnerabilities/9272
19
Kanzu Support Deskasume all, see notesunfixedkanzu-support-deskRemote Code Executionhttps://wordpress.org/plugins/kanzu-support-desk/Remove ImmediatelyPlugin
"Researcher" doesn't state when the vulnerability was introduced to the code base. Assume all previous versions. Plugin has been closed in the public repository
https://www.pluginvulnerabilities.com/2019/05/09/our-proactive-monitoring-caught-a-remote-code-execution-rce-vulnerability-in-kanzu-support-desk/
20
WP Booking System<=1.5.11.5.2wp-booking-systemUnknown, see noteshttps://wordpress.org/plugins/wp-booking-system/UpdatePlugin
Changelog states "Security Improvements"
https://wordpress.org/plugins/wp-booking-system/#developers
21
Ultimate FAQ<=1.8.21.8.22ultimate-faqCross-Site Scriptinghttps://wordpress.org/plugins/ultimate-faq/UpdatePlugin
Changelog states "Fixes a minor possible XSS issue"
https://wordpress.org/plugins/ultimate-faqs/#developers
22
WP Database Backup<=5.1.25.2wp-database-backupUnknown, see noteshttps://wordpress.org/plugins/wp-database-backup/UpdatePlugin
Changelog states "Security Changes - Fixed Vulnerability".
https://wordpress.org/plugins/wp-database-backup/#developers
23
BP Who Favorited1.01.1bp-who-favoritedUnknown, see noteshttps://wordpress.org/plugins/bp-who-favorited/UpdatePlugin
Changelog states "Security Updates"
https://wordpress.org/plugins/bp-who-favorited/#developers
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...