20170728 Vulnerable Plugins/Themes Report
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
NameVersion(s) AffectedFixed in VersionPlugin DirectoryVulnerabilityLink/Plugin StatusSuggested ActionPlugin/ThemeOther NotesSource
2
Stop User Enumeration1.3.8 and earlier1.3.9stop-user-enumerationFunctionality Bypasshttps://wordpress.org/plugins/stop-user-enumeration/UpdatePlugin
https://security.dxw.com/advisories/stop-user-enumeration-rest-api/
3
YouTube Embed11.8.1 and earlier11.8.2youtube-embed-plusCross-Site Request Forgeryhttps://wordpress.org/plugins/youtube-embed-plus/UpdatePlugin
https://security.dxw.com/advisories/csrf-in-youtube-plugin/
4
WP Rocket2.10.32.10.4wp-rocketLocal File Inclusionhttps://wp-rocket.me/changelogUpdatePlugin
https://wpvulndb.com/vulnerabilities/8872
5
WordPress Task Manager Proall versionsunfixedtask-manager-proAuthenticated Reflected Cross-Site Scripting
https://codecanyon.net/item/task-manager-pro-all-in-one-project-based-task-management-plugin-for-wordrpress/19864872
RemovePlugin
https://packetstormsecurity.com/files/143419/
6
WordPress Task Manager Proall versionsunfixedtask-manager-proAuthenticated Stored Cross-Site Scripting
https://codecanyon.net/item/task-manager-pro-all-in-one-project-based-task-management-plugin-for-wordrpress/19864873
RemovePlugin
https://packetstormsecurity.com/files/143419/
7
WordPress Task Manager Proall versionsunfixedtask-manager-proSQL Injection
https://codecanyon.net/item/task-manager-pro-all-in-one-project-based-task-management-plugin-for-wordrpress/19864874
RemovePlugin
https://packetstormsecurity.com/files/143419/
8
IBPS Online Examall versionsunfixedexamappStored Cross-Site Scriptinghttps://codecanyon.net/item/ibps-online-exam-plugin-for-wordpress/20028534RemovePlugin
https://www.exploit-db.com/exploits/42351/
9
IBPS Online Examall versionsunfixedexamappSQL Injectionhttps://codecanyon.net/item/ibps-online-exam-plugin-for-wordpress/20028534RemovePlugin
https://www.exploit-db.com/exploits/42351/
10
Simple Custom CSS and JS3.3 and earler3.4custom-css-jsCross-Site Scriptinghttps://wordpress.org/plugins/custom-css-js/UpdatePlugin
http://jvn.jp/en/jp/JVN31459091/
11
DSubscribers1.2 and earlier1.2.1dsubscribersAuthenticated SQL Injectionhttps://wordpress.org/plugins/dsubscribers/UpdatePlugin
https://wpvulndb.com/vulnerabilities/8864
12
WP Statistics12.0.9 and earlier12.0.10wp-statisticsAuthenticated Cross-Site Scriptinghttps://wordpress.org/plugins/wp-statistics/UpdatePlugin
https://wpvulndb.com/vulnerabilities/8866
13
Arabic Fontall versionsunfixedarabic-fontCross-Site Request Forgeryhttps://wordpress.org/plugins/arabic-font/RemovePlugin
https://wpvulndb.com/vulnerabilities/8868
14
Arabic Fontall versionsunfixedarabic-fontAuthenticated Cross-Site Scriptinghttps://wordpress.org/plugins/arabic-font/RemovePlugin
https://wpvulndb.com/vulnerabilities/8868
15
Popup Maker1.6.4 and earlier1.6.5popup-makerCross-Site Scriptinghttps://wordpress.org/plugins/popup-maker/UpdatePlugin
http://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000181.html
16
WooCommerce Catalog Enquiry3.1.1see noteswoocommerce-catalog-enquiryArbitrary File Uploadhttps://wordpress.org/plugins/woocommerce-catalog-enquiry/RemovePlugin
this was initially disclosed back in April. A fix was released and plugin reinstated in the repo, but the issue is only partially fixed
https://plugins.trac.wordpress.org/browser/woocommerce-catalog-enquiry/tags/3.1.1/classes/class-wc-Woocommerce-Catalog-Enquiry-ajax.php
17
Contact Form 7 International Sms Integration
all versionsunfixed
cf7-international-sms-integration
Cross-Site Scriptinghttps://wordpress.org/plugins/cf7-international-sms-integration/RemovePlugin
https://www.pluginvulnerabilities.com/2017/07/19/reflected-cross-site-scripting-xss-vulnerability-in-contact-form-7-international-sms-integration/
18
Share Buttons by AddThis5.3.5 and earlier5.3.6addthisCross-Site Request Forgery / Settings Changehttps://wordpress.org/plugins/addthis/UpdatePlugin
https://www.pluginvulnerabilities.com/2017/07/19/cross-site-request-forgery-csrfsettings-change-vulnerability-in-share-buttons-by-addthis/
19
Web Librarian3.4.8.6 and earlier3.4.8.7weblibrarianCross-Site Scriptinghttps://wordpress.org/plugins/weblibrarian/UpdatePlugin
https://www.pluginvulnerabilities.com/2017/07/25/reflected-cross-site-scripting-xss-vulnerability-in-weblibrarian/
20
Ultimate Affiliate Pro3.6 and earliersee notesMultiple Authenticated Stored Cross-Site Scriptinghttps://codecanyon.net/item/ultimate-affiliate-pro-wordpress-plugin/16527729RemovePlugin
At least according to codecanyon, it appears that 3.6 is the latest version. If you are using this plugin, I would contact wpindeed and ask if they are aware of the issue and if a fix is available.
https://packetstormsecurity.com/files/143497/WP-AffilliatePro3.6-XSS.txt
21
Formcraft Form Builder3.2.31see notesformcraft3Authenticated Stored Cross-Site Scriptinghttp://formcraft-wp.com/changelog/RemovePlugin
at least according to the changelog, no newer version exists, so I have marked this as unfixed. However, since it is a paid plugin, I do not have access to the source file to verify the vulnerablity exists
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...