20170505 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
Still loading...
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) Affected
Fixed in Version
Plugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
Flickr Picture Backupall versionsunfixed
flickr-picture-backup
Arbitrary File UploadPlugin removed from public repository
Remove Immediately
Plugin
Interestingly, there's a version 0.8 but it is also has the same version. Only difference is that the author switched from retrieving the url paramater from _GET to _POST.
http://www.vapidlabs.com/advisory.php?v=190
3
Answer My Question1.3unfixed
answer-my-question
Cross Site ScriptingPlugin removed from public repositoryRemovePlugin
This one also has a SQL injection found back in 2016
https://wpvulndb.com/vulnerabilities/8800
4
WP Athleticsall versionsunfixedap-athleticsSQL Injection
https://wordpress.org/plugins/ap-athletics/
RemovePlugin
https://wordpress.org/support/topic/sql-injection-vulerability/
5
WM Simple Captchaall versionsunfixedwm-simple-captchaCAPTCHA bypass
https://wordpress.org/plugins/wm-simple-captcha/
Switch to a different solution
Plugin
https://wordpress.org/support/topic/easily-bypassed-vulnerable/
6
Avada Theme5.1.4 and earlier5.1.5avada
Stored Cross-Site Scripting and Cross-Site Request Forgery
https://wordpress.org/themes/avadaUpdateTheme
http://wphutte.com/avada-5-1-4-stored-xss-and-csrf/
7
Login with AJAX Plugin3.1.6 and earlier3.1.7login-with-ajaxCross-Site Scripting
https://wordpress.org/plugins/login-with-ajax/
UpdatePlugin
Changelog: https://wordpress.org/plugins/login-with-ajax/#developers
8
Photo Gallery by WD1.3.37 and earlier1.3.38photo-galleryAuthenticated SQL Injection
https://wordpress.org/plugins/photo-gallery/
UpdatePlugin
http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf
9
Form Maker by WD1.11.1 and earlier1.12.1form-makerStored Cross-Site Scripting
https://wordpress.org/plugins/form-maker/
UpdatePlugin
Changelog: https://wordpress.org/plugins/form-maker/#developers
10
WordPress Facebook (by WD)
1.0.13 and earlier1.0.14spider-facebookSQL Injection and Cross-Site Request Forgery
https://wordpress.org/plugins/spider-facebook/
UpdatePlugin
http://www.defensecode.com/advisories/DC-2017-04-011_WordPress_Facebook_Plugin_Advisory.pdf
11
Calendar by WD1.5.51 and earlier1.5.52
spider-event-calendar
Authenticated SQL Injection and Cross-Site Request Forgery
https://wordpress.org/plugins/spider-event-calendar/
UpdatePlugin
http://www.defensecode.com/advisories/DC-2017-01-017_WordPress_Spider_Event_Calendar_Plugin_Advisory.pdf
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
Sheet1