What Happened With WordPress Plugin Vulnerabilities in September 2017
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during September (and what you have been missing out on if you haven’t signed up yet):
Plugin Security Reviews
Paid customers of the service can suggest and vote on plugins to have a security review done by us.
We don’t currently have any more plugins queued up for a review, so if you sign up now for the service, a plugin you suggest could be reviewed right away.
Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month
We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.
This month the most concerning vulnerabilities were a number PHP object injection vulnerabilities, since that type of vulnerability is likely to be exploited and the vulnerabilities had existed in plugins with ten of thousands of active installs.
- PHP object injection vulnerability in VideoWhisper Live Streaming
- PHP object injection vulnerability in Booster for WooCommerce
- Authenticated PHP object injection vulnerability in Media Library Assistant
- Cross-site request forgery(CSRF)/ PHP object injection vulnerability in Media Library Assistant
- PHP objection vulnerability in WordPress Meta Data and Taxonomies Filter
- Cross-site request forgery(CSRF)/PHP object injection vulnerability in Ginger – EU Cookie Law
- Arbitrary file upload vulnerability in Woocommerce Product Designer
- Authenticated PHP object injection vulnerability in Media from FTP
- Authenticated arbitrary file upload vulnerability in Football Pool
- Authenticated PHP object injection vulnerability in Post Pay Counter
- Authenticated information disclosure vulnerability in Share Drafts Publicly
- Arbitrary file upload vulnerability in All Post Contact Form
- PHP object injection vulnerability in TAKETIN To WP Membership
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Shoppable Images Lite
Plugin Vulnerabilities We Helped Get Fixed This Month
Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 63,600+ active installs:
- PHP object injection vulnerability in VideoWhisper Live Streaming, discovered by us
- PHP objection vulnerability in WordPress Meta Data and Taxonomies Filter, discovered by us
- Cross-site request forgery(CSRF)/PHP object injection vulnerability in Ginger – EU Cookie Law, discovered by us
- Arbitrary file upload vulnerability in Woocommerce Product Designer, discovered by us
- PHP object injection vulnerability in Booster for WooCommerce, discovered by us
- Authenticated PHP object injection vulnerability in Media from FTP, discovered by us
- Authenticated arbitrary file upload vulnerability in Football Pool, discovered by us
- Authenticated PHP object injection vulnerability in Post Pay Counter, discovered by us
- Authenticated information disclosure vulnerability in Share Drafts Publicly, discovered by us
- PHP object injection vulnerability in TAKETIN To WP Membership, discovered by us
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Shoppable Images Lite, discovered by us
Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins
Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:
- Authenticated PHP object injection vulnerability in Media Library Assistant, discovered by us
- Cross-site request forgery(CSRF)/ PHP object injection vulnerability in Media Library Assistant
- Reflected cross-site scripting (XSS) vulnerability in Cool Flickr Slideshow, discovered by Ashiyane Digital security Team
- Arbitrary file upload vulnerability in All Post Contact Form, discovered by us
- Authenticated SQL injection vulnerability in WP Like Post, discovered by Paul Dannewitz
- Cross-site request forgery (CSRF)/SQL injection vulnerability in WP Like Post, discovered by Paul Dannewitz
- Authenticated SQL injection vulnerability in SQL Shortcode, discovered by Paul Dannewitz
Additional Vulnerabilities Added This Month
As usual, there were plenty of other vulnerabilities that we added to our data during the month. In addition to a number of PHP object injection vulnerabilities we discovered this month, there were also a number discovered by others.
- PHP object injection vulnerability in VideoWhisper Live Streaming, discovered by us
- PHP objection vulnerability in WordPress Meta Data and Taxonomies Filter, discovered by us
- Persistent cross-site scripting (XSS) vulnerability in Participants Database, discovered by Benjamin Lim
- Cross-site request forgery(CSRF)/PHP object injection vulnerability in Ginger – EU Cookie Law, discovered by us
- Arbitrary file upload vulnerability in Woocommerce Product Designer, discovered by us
- PHP object injection vulnerability in Booster for WooCommerce, discovered by us
- Authenticated PHP object injection vulnerability in Media from FTP, discovered by us
- Remote code execution vulnerability in Display Widgets, discovered by David Law
- Spam post creation vulnerability in Display Widgets, discovered by David Law
- Authenticated arbitrary file upload vulnerability in Football Pool, discovered by us
- PHP object injection vulnerability in Welcart e-Commerce, discovered by ?
- Authenticated PHP object injection vulnerability in Post Pay Counter, discovered by us
- Cross-site request forgery (CSRF) vulnerability in Share Drafts Publicly, discovered by ?
- Authenticated information disclosure vulnerability in Share Drafts Publicly, discovered by us
- Media editing vulnerability in MediaPress, discovered by ?
- PHP object injection vulnerability in Invite Anyone, discovered by ?
- Reflected cross-site scripting (XSS) vulnerability in 2kb Amazon Affiliates Store, discovered by Ricardo Sanchez
- PHP object injection vulnerability in TAKETIN To WP Membership, discovered by us
- PHP object injection vulnerability in Appointments, discovered by Wordfence
- Cross-site request forgery (CSRF)/PHP object injection vulnerability in Shoppable Images Lite, discovered by us
- Cross-site request forgery (CSRF)/SQL injection vulnerability in Wpdevart Gallery, discovered by Manuel Garcia Cardenas
- Open redirect vulnerability in furikake, discovered by Carl Clegg
- Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in Content Audit, discovered by dxwsecurity
- Authenticated persistent cross-site scripting (XSS) vulnerability in SmokeSignal, discovered by Paul Dannewitz
- PHP object injection vulnerability in MarketPress, discovered by Robert R