What Happened With WordPress Plugin Vulnerabilities in June 2017
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during June (and what you have been missing out on if you haven’t signed up yet):
Plugin Security Reviews
Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
This month the most concerning vulnerabilities we found were a couple of information disclosure vulnerabilities, one that exposes contact form submissions saved by a plugin and the other exposes customer information from CRM plugin. Neither of those has been fixed yet.
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update
- Information disclosure vulnerability in Save Contact Form 7
- Authenticated information disclosure vulnerability in Contact Form 7 Database
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Count per Day
- Authenticated persistent cross-site scripting (XSS) vulnerability in WP Posts Carousel
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Skype Legacy Buttons
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu
- Cross-site request forgery (CSRF) vulnerability in Contact Form 7 – PayPal Add-on
- Cross-site request forgery (CSRF) vulnerability in PayPal Digital Downloads
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Shopping Cart
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Easy PayPal Gift Certificate
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Buy Now Button
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Multi Feed Reader
- Reflected cross-site scripting (XSS) vulnerability in uCare
- Reflected cross-site scripting (XSS) vulnerability in Product Catalog
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Newsletters
- Information disclosure vulnerability in UpiCRM
- Cross-site request forgery (CSRF)/settings change vulnerability in Salon booking system
- Reflected cross-site scripting (XSS) vulnerability in Postman SMTP
- Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers and the Plugin Directory to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 340,000+ active installs:
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update, discovered by us
- Full path disclosure vulnerability in BackUpWordPress, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Newsletters, discovered by Neven Biruski
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in uCare, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Information disclosure vulnerability in Save Contact Form 7, discovered by us
- Authenticated information disclosure vulnerability in Contact Form 7 Database, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Count per Day, discovered by us
- Authenticated persistent cross-site scripting (XSS) vulnerability in WP Posts Carousel, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Skype Legacy Buttons, discovered by us
- Cross-site request forgery (CSRF) vulnerability in Contact Form 7 – PayPal Add-on, discovered by us
- Cross-site request forgery (CSRF) vulnerability in PayPal Digital Downloads, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Shopping Cart, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Easy PayPal Gift Certificate, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in PayPal Buy Now Button, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in WP Custom Fields Search, discovered by Dimitrios Tsagkarakis
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Multi Feed Reader, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Product Catalog, discovered by us
- Cross-site request forgery (CSRF)/arbitrary file upload vulnerability in Newsletters, discovered by us
- Information disclosure vulnerability in UpiCRM, discovered by us
- Cross-site request forgery (CSRF)/settings change vulnerability in Salon booking system, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Postman SMTP, discovered by us
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month.
For the most serious vulnerabilities fixed this the plugin didn’t get its version number changed, so those already using the latest version are left vulnerable. We notified the developer over two weeks ago, but they haven’t resolved that yet. If you were using our service you would have been notified about the situation already and could have taken action to protect yourself. As far as we can tell no other data providers even include the vulnerability in their data set (we do much more collective data collection than anyone else).
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Companion Auto Update, discovered by us
- Reflected cross-site scripting (XSS) vulnerability in Memphis Documents Library, discovered by?
- Order duplication vulnerability in WC Duplicate Order, discovered by dungengronovius
- SQL injection vulnerability in Save Contact Form 7, discovered by ?
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Responsive Menu, discovered by us
- Settings change vulnerability in WP Custom Admin Login Page Logo, discovered by po1838660997
- Reflected cross-site scripting vulnerability in Spiffy Calendar, discovered by Dimitrios Tsagkarakis
- Authenticated SQL injection vulnerability in Event List, discovered by Dimitrios Tsagkarakis
- Persistent cross-site scripting (XSS) vulnerability in RSVP, discovered by ?
- File manager access vulnerability in WP File Manager, discovered by ?
- Arbitrary file upload vulnerability in WP File Manager, discovered by ?
- Arbitrary file viewing vulnerability in WP File Manager, discovered by ?
- Authenticated file manager access vulnerability in File Manager, discovered by ?
- Authenticated arbitrary file upload vulnerability in File Manager, discovered by ?
- Authenticated arbitrary file viewing vulnerability in File Manager, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in WP-Members, discovered by Chris Liu
- Authenticated open redirect vulnerability in WordPress Download Manager, discoverd by Gen Sato of Mitsui Bussan Secure Directions, Inc.
- Reflected cross-site scripting (XSS) vulnerability in WordPress Download Manager, discovered by Gen Sato of Mitsui Bussan Secure Directions, Inc.
- Reflected cross-site scripting (XSS) vulnerability in WordPress Download Manager, discovered by Tom Adams of dxwsecurity
- Reflected cross-site scripting (XSS) vulnerability in All-in-One WP Migration, discovered by Oways
- Reflected cross-site scripting (XSS) vulnerability in Analytics Tracker, discovered by Arjan Snaterse
- Reflected cross-site scripting (XSS) vulnerability in uCare, discovered by us
- Authenticated SQL injection vulnerability in Product Catalog, discovered by Lenon Leite
- Reflected cross-site scripting (XSS) vulnerability in Brute Force Login Protection, discovered by us
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Custom Sidebars, discovered by qasuar
- Reflected cross-site scripting (XSS) vulnerability in Event Calendar WD, discovered by Chris Liu
Plugin Security Scorecard Grade for All-in-One WP Migration
Checked on November 22, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Contact Form 7 Database
Checked on July 26, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Contact Form 7 – PayPal Add-on
Checked on August 29, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for WP File Manager
Checked on February 21, 2025See issues causing the plugin to get less than A+ grade