20190419 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
YellowPencil Visual CSS Style Editorunknown, assume allunfixed
yellow-pencil-visual-theme-customizer
Unauthenticated Arbitrary Options Updatehttps://wordpress.org/plugins/yellow-pencil-visual-theme-customizer/RemovePlugin
https://www.wordfence.com/blog/2019/04/zero-day-vulnerability-in-yellow-pencil-visual-theme-customizer-exploited-in-the-wild/
3
Download Advanced Contact form 7 DB1.6.0 and earlier1.6.1advanced-cf7-dbAuthenticated SQL Injectionhttps://wordpress.org/plugins/advanced-cf7-db/UpdatePlugin
https://blog.sucuri.net/2019/04/sql-injection-in-advance-contact-form-7-db.html
4
Yuzo Related Postsassume allunfixedyuzo-related-postsUnauthenticated Arbitrary Options Updatehttps://wordpress.org/plugins/yuzo-related-posts/RemovePlugin
https://stackoverflow.com/questions/55610548/vulnerability-in-closed-plugin-yuzo-related-posts
5
Form Maker by 10Web1.13.4 and earlier1.13.5form-makerCross-Site Request Forgery to Local File Inclusionhttps://wordpress.org/plugins/form-maker/UpdatePlugin
https://packetstormsecurity.com/files/152408/wpformmaker1132-xsrflfi.txt
6
Contact Form by WD1.13.4 and earlier1.13.5contact-form-makerCross-Site Request Forgery to Local File Inclusionhttps://wordpress.org/plugins/contact-form-maker/UpdatePlugin
https://seclists.org/fulldisclosure/2019/Apr/11
7
Mega Main Menuassume allunfixedmega_main_menuUnauthenticated Sensitive Information Disclosurehttp://menu.megamain.com/Use with cautionPlugin
Paid plugin, so I dont have access. This could be an intentional feature. Allows unauthenticated retrieval of a backup of the data related to the menu structure/plugin. Not critical, but does appear to expose the activation key for the plugin.
https://cxsecurity.com/issue/WLB-2019040051
8
Limit Login Attempts Reloadedassume allunfixedlimit-login-attempts-reloadedPlugin Bypasshttps://wordpress.org/plugins/limit-login-attempts-reloaded/Use with cautionPlugin
Researcher doesnt indicate when the vulnerability was introduced. The plugin is supposed to limit login attempts, but can be bypassed
https://packetstormsecurity.com/files/152433/wpllar274-bypass.txt
9
Groundhogg1.3.4 and earlier1.3.5groundhoggRemote Code Executionhttps://wordpress.org/plugins/groundhogg/Update ImmediatelyPlugin
https://www.pluginvulnerabilities.com/2019/04/05/our-proactive-monitoring-caught-an-authenticated-remote-code-execution-rce-vulnerability-being-introduced-in-to-groundhogg/
10
SupportCandy2.0.0 and earlier2.0.1supportcandyArbitrary File Uploadhttps://wordpress.org/plugins/supportcandy/Update ImmediatelyPlugin
https://nvd.nist.gov/vuln/detail/CVE-2019-11223
11
WordPress Download Manager2.9.93 and earlier2.9.94download-managerCross-Site Scriptinghttps://wordpress.org/plugins/download-manager/UpdatePlugin
https://packetstormsecurity.com/files/152511/wpdm2992-xss.txt
12
LeaderBoard Plugin1.11.2leaderboard-liteCross-Site Scriptinghttps://wordpress.org/plugins/leaderboard-lite/UpdatePlugin
https://wordpress.org/plugins/leaderboard-lite/#developers
13
Apply Onlineassume allunfixedapply-onlineAuthenticated Arbitrary File Viewinghttps://wordpress.org/plugins/apply-online/RemovePlugin
https://www.pluginvulnerabilities.com/2019/04/15/our-proactive-monitoring-caught-an-authenticated-arbitrary-file-viewing-vulnerability-being-introduced-in-to-apply-online/
14
WP Inventory Manager1.8.1 and earlier1.8.2wp-inventory-managerStored Cross-Site Scriptinghttps://wordpress.org/plugins/wp-inventory-manager/UpdatePlugin
"Researcher" doesn't indicate when the vulnerability was introduced, assume all previous versions
https://www.pluginvulnerabilities.com/2019/04/15/persistent-cross-site-scripting-xss-vulnerability-in-wp-inventory-manager/
15
Resize Image After Upload1.8.5 and earlier1.8.6resize-image-after-uploadCross-Site Request Forgeryhttps://wordpress.org/plugins/resize-image-after-upload/UpdatePlugin
Changelog states "improviing security to the settings form by adding nonce"
https://wordpress.org/plugins/resize-image-after-upload/#developers
16
smart Archive Page Remove3 and earlier4smart-archive-page-removeUnsure, see noteshttps://wordpress.org/plugins/smart-archive-page-remove/UpdatePlugin
Changelog states "security vulnerability in AJAX call"
https://wordpress.org/plugins/smart-archive-page-remove/#developers
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...