What Happened With WordPress Plugin Vulnerabilities in May 2017
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during May (and what you have been missing out on if you haven’t signed up yet):
Plugin Security Reviews
Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for reviews of:
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed.
- Reflected cross-site scripting (XSS) vulnerability in User Access Manager, discovered by DefenseCode
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in EELV Newsletter, discovered by King Coder
- Authenticated persistent cross-site scripting (XSS) vulnerability in EELV Newsletter, discovered by King Coder
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Newsletter by Supsystic, discovered by King Coder
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.
- Arbitrary file upload vulnerability in flickr picture backup, discovered by Larry W. Cashdollar
- Reflected cross-site scripting (XSS) vulnerability in SlideDeck 2, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Answer My Question, discovered by Leon Teale
- Cross-site request forgery (CSRF) vulnerability in Clean Login, discovered by Zhiyang Zeng
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) in
MSMC – Redirect After Comment, discovered by dxwsecurity - Reflected cross-site scripting (XSS) vulnerability in Tracking Code Manager, discovered by DefenseCode
- Authenticated SQL injection vulnerability in Surveys, discovered by Larry W. Cashdollar
- Authenticated SQL injection vulnerability in Eventr, discovered by Larry W. Cashdollar
- Persistent cross-site scripting (XSS) vulnerability in Gift Certificate Creator, discovered by Larry W. Cashdollar
- Reflected cross-site scripting (XSS) vulnerability in Newsletters, discovered by Neven Birusk
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month:
- Persistent cross-site scripting (XSS) vulnerability in Form Maker, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in SlideDeck 3, discovered by ?
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Spider Event Calendar (Calendar by WD), discovered DefenseCode
- Cross-site request forgery (CSRF)/SQL injection vulnerability in WordPress Facebook, discovered DefenseCode
- Reflected cross-site scripting (XSS) vulnerability in RSS Post Importer, discovered by ?
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Huge IT Forms, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in Cimy User Extra Fields, discovered by RedTeam Pentesting
- Information disclosure vulnerability in Download Monitor, discovered by James Golovich
- Reflected cross-site scripting (XSS) vulnerability in User Access Manager, discovered by DefenseCode
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in EELV Newsletter, discovered by King Coder
- Authenticated persistent cross-site scripting (XSS) vulnerability in EELV Newsletter, discovered by King Coder
- Remote code execution (RCE) vulnerability in BibleGet I/O, discovered ?
- Reflected cross-site scripting (XSS) Vulnerability in MaxButtons, discovered by ASAI Ken and Chris Liu
- Persistent cross-site scripting (XSS) vulnerability in WP Booking System, discovered by Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Newsletter by Supsystic, discovered by King Coder
- Reflected cross-site scripting (XSS) vulnerability in AffiliateWP, discovered by Neven Biruski
- Reflected cross-site scripting (XSS) vulnerability in All In One Schema.org Rich Snippets, discovered by Neven Biruski
- Authenticated SQL injection vulnerability in Gallery – Video Gallery, discovered by Neven Biruski
- Persistent cross-site scripting (XSS) vulnerability in Question answer, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in WP No External Links, discovered by Neven Biruski
- Reflected cross-site scripting (XSS) vulnerability in Simple Slideshow Manager, discovered by Neven Biruski
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in WordPress Popular Posts, discovered by ?