What Happened With WordPress Plugin Vulnerabilities in July 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

Archive Control

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

This month the most concerning vulnerability is a PHP object injection vulnerability in Product Reviews, since that type of vulnerability is likely to be exploited and the vulnerability hasn’t been fixed yet.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 702,300+ active installs:

Persistent cross-site scripting (XSS) vulnerability in Post Custom Templates Lite, discovered by us
Reflected cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Chris Liu
Cross-site request forgery (CSRF)/settings change vulnerability in Share Buttons by AddThis, discovered by us
Reflected cross-site scripting (XSS) vulnerability in WP Statistics, discovered by LoRexxar
Reflected cross-site scripting (XSS) vulnerability in WebLibrarian, discovered by us
Reflected cross-site scripting (XSS) vulnerability in OptiMonk, discovered by ?
Information disclosure vulnerability in Easy Digital Downloads, discovered by us

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Authenticated SQL injection in WP-Testimonials, discovered by Dimitrios Tsagkarakis
Reflected cross-site scripting (XSS) vulnerability in NextGEN Gallery, discovered by ?
Reflected cross-site scripting (XSS) vulnerability in Contact Form 7 International Sms Integration, discovered by us
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Arabic Font, discovered by Rob Carr
Open redirect vulnerability in Pie Register, discovered by Carl Clegg
Reflected cross-site scripting (XSS) vulnerability in WP Download Codes, discovered by Carl Clegg
Remote code execution vulnerability in Social Sticky Animated, discovered by Carl Clegg
PHP object injection vulnerability in Product Reviews, discovered by us

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of the new vulnerabilities that were fixed this month are relatively minor.