When we began our service, our data set of vulnerabilities in WordPress plugins consisted of vulnerabilities that had been publicly disclosed. That allowed us to warn our customers if they were using plugins known to be vulnerable.

At that time, we started monitoring for the exploitation of previously undisclosed zero-day vulnerabilities, which are vulnerabilities being exploited before the developer is made aware of them. That has allowed us to help our customers protect themselves from vulnerabilities that they otherwise would not have had the ability to know about despite hackers already being aware of them. Much to our surprise, this is something that other security providers have not been doing, even ones that promote that they are (security companies, it turns out, are not all that honest).

We then introduced the ability for our customers to suggest/vote for plugins to receive security reviews from us.

In June 2017, we added an additional layer of monitoring to help protect our customers against vulnerabilities in WordPress plugins. We are now checking for indications that new versions of plugins include serious security vulnerabilities. We first use pattern matching to identify code in new versions that have the potential to be exploited. We then manually review the code to see if there is in fact an exploitable vulnerability. Through this, we have found quite a few vulnerabilities.

Far too many of those vulnerabilities have not been fixed, so even if you are keeping your plugins up to date, you could be vulnerable. By using our service not only do you get warned if you are using those vulnerable plugins (many of which no other service that provides similar data will warn you about), but we are there to help you to make the best decision on how to deal with the situation.

Currently, we are limited in how many types of vulnerabilities we can monitor for because of the time it takes to handle each possible vulnerability. If we had more customers, we could increase the number of types of vulnerabilities we monitor for and help to make WordPress plugins even more secure.

We run all the plugins used by customers of our service through that monitoring system on a weekly basis, so even if those plugins have not been updated, we can catch vulnerabilities in them. We check for a wider range of vulnerabilities with that as well.

Some of the Vulnerabilities Found Through Our Proactive Monitoring

• Arbitrary File Upload Vulnerability in Appointment Booking and Online Scheduling
• Authenticated Arbitrary File Upload Vulnerability in Sage AI Content Writer
• Arbitrary File Upload Vulnerability in Chatbot ChatGPT
• Authenticated Option Update Vulnerability in Cozy Blocks
• Authenticated Option Update Vulnerability in WPGetAPI
• Authenticated Option Update Vulnerability in WP Courses
• Reflected Cross-Site Scripting (XSS) Vulnerability in Squirrly SEO
• PHP Object Injection Vulnerability in Essential Blocks
• Authenticated Plugin Installation Vulnerability in Disable Fullscreen Mode
• Authenticated Option Update Vulnerability in WooODT Lite
• Arbitrary File Upload Vulnerability in KadenceWP
• Authenticated Option Update Vulnerability in Booster for WooCommerce 
• User Deletion Vulnerability in Atarim – Client Interface
• Authenticated Option Update in WP Compress
• Shortcode Execution Vulnerability ShortcodeGPT
• Arbitrary File Viewing Vulnerability in WPYog Documents
• Authenticated Option Update Vulnerability in AI Power
• Arbitrary File Upload Vulnerability in Propeller Ecommerce
• Reflected Cross-Site Scripting (XSS) Vulnerability in DELUCKS SEO
• Remote Code Execution (RCE) Vulnerability in CX Easy Contact Form
• Authenticated Option Update Vulnerability in Users Control
• Authenticated PHP Object Injection Vulnerability in Aarambha Kits for Elementor
• Server-Side Request Forgery (SSRF) Vulnerability in UpdraftCentral Dashboard
• Authenticated Option Update Vulnerability in LWS Optimize
• Arbitrary File Upload Vulnerability in HTML WP
• Cross-Site Request Forgery (CSRF)/Plugin Deactivation Vulnerability in 10Web Booster
• Arbitrary File Upload Vulnerability in Create Block Theme
• Arbitrary File Upload Vulnerability in Simple File Manager
• Authenticated PHP Object Injection Vulnerability in Blog2Social
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in PageManager
• Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in PageManager
• Authenticated Option Update Vulnerability in Stop Generating Unnecessary Thumbnails
• Authenticated Option Update Vulnerability in CoDesigner
• Authenticated Option Deletion Vulnerability in FastDev
• Authenticated PHP Object Injection in Contact
• Remote Code Execution (RCE) in Campation PostOffice
• Cross-site Request Forgery (CSRF)/Option Update Vulnerability in Profile Builder
• Restricted File Upload Vulnerability in Sitemap by click5
• PHP Object Injection Vulnerability in ELEX HelpDesk & Customer Support Ticket System
• Persistent Cross-Site Scripting (XSS) Vulnerability in Stylish Price List
• Authenticated Arbitrary File Upload Vulnerability in VIRTUAL HDM FOR TAXSERVICE AM
• PHP Object Injection Vulnerability in ICS Calendar
• Authenticated Arbitrary File Upload Vulnerability in Vossle
• Authenticated Option Update Vulnerability in Stop Generating Unnecessary Thumbnails
• PHP Object Injection in Saksh Escrow System
• Authenticated Option Update Vulnerability in WP Leads Builder For Any CRM
• Aribtrary File Upload Vulnerability in WP Image Refresh
• Authenticated Plugin Deactivation Vulnerability in Userplace
• Authenticated PHP Object Injection Vulnerability in WP Category Sort
• Authenticated Option Update Vulnerability in Visual Email Designer for WooCommerce
• PHP Object Injection Vulnerability in Event Calendar
• Authenticated Arbitrary File Deletion Vulnerability in Smart Grid-Layout Design for Contact Form 7
• Cross-Site Request Forgery (CSRF)/File Modification Vulnerability in .htaccess editor WP
• Authenticated arbitrary file upload vulnerability in INK Official
• Authenticated arbitrary file upload vulnerability in SCORM Cloud For WordPress
• Arbitrary File Upload Vulnerability in WP-Property
• Shortcode Execution in TableOn
• Shortcode Execution in Active Products Tables for WooCommerce
• Arbitrary File Upload in Consignment Store For WooCommerce.
• Authenticated Arbitrary File Upload in Hotel Booking by Xfor
• PHP Object Injection Vulnerability in Contact List
• PHP Object Injection Vulnerability in Soprop Connector
• Persistent Cross-Site Scripting (XSS) Vulnerability in WIP Custom Login
• Arbitrary File Upload Vulnerability in WP Agora.io
• Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) Vulnerability in Email Marketing Services Integration
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Blocksy Companion
• Authenticated Option Update Vulnerability in INDIGITALL
• Arbitrary File Upload Vulnerability in Payment QR WooCommerce
• Arbitrary File Upload in Vulnerability in WooCommerce Geidea Payment Gateway
• Arbitrary File Viewing Vulnerability in Law Practice Management Software
• Arbitrary File Upload Vulnerability in Wireless Butler
• Authenticated Option Update Vulnerability in Content Mask
• Authenticated Arbitrary File Upload Vulnerability in Delicious Recipes
• Reflected Cross-Site Scripting (XSS) in ProfilePress
• Authenticated Option Update Vulnerability in to SP Project & Document Manager
• Cross-Site Request Forgery (CSRF)/Option Update Vulnerability in to SP Project & Document Manager
• Cross-Site Request Forgery (CSRF)/Arbitrary File Deletion Vulnerability in Backup Guard
• Authenticated Arbitrary File Upload Vulnerability in Word Of The Day
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Word Of The Day
• Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Request a Quote
• Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Request a Quote
• Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Youtube Showcase (YouTube Gallery)
• Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Youtube Showcase (YouTube Gallery)
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in WP Google Map Plugin
• Cross-Site Request Forgery (CSRF)/Arbitrary File Deletion Vulnerability in Prevent Files / Folders Access
• Arbitrary File Upload Vulnerability in Zedna Contact form
• Arbitrary File Viewing Vulnerability in Groundhogg
• PHP Object Injection Vulnerability in WP BASE Booking of Appointments, Services and Events
• Authenticated Option Update Vulnerability in WP human resource management
• Authenticated Arbitrary File Deletion Vulnerability in Ovic Addon Toolkit
• Cross-Site Request Forgery (CSRF)/Arbitrary File Deletion Vulnerability in Ovic Addon Toolkit
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Formidable Forms
• Authenticated PHP Object Injection Vulnerability in Blog2Social: Social Media Auto Post & Scheduler
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Blog2Social: Social Media Auto Post & Scheduler
• Authenticated Option Update Vulnerability in HandL UTM Grabber
• Cross-Site Request Forgery (CSRF)/Option Update Vulnerability in HandL UTM Grabber
• Authenticated Arbitrary File Upload Vulnerability in uListing
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in uListing
• Restricted File Upload Vulnerability in GA Top Posts
• Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Yes-co ORES
• Authenticated Settings Change Vulnerability in Yes-co ORES
• Authenticated Arbitrary File Upload Vulnerability in the MapSVG Lite
• Local File Inclusion (LFI) Vulnerability in Sina Extension for Elementor
• Authenticated Arbitrary File Upload Vulnerability in Shipping Servientrega Woocommerce
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload in LionScripts: IP Blocker Lite
• Local File Inclusion (LFI) Vulnerability in Revamp CRM for WooCommerce
• Authenticated Option Update Vulnerability in WPMktgEngine
• Cross-Site Request Forgery (CSRF)/Option Update Vulnerability in WPMktgEngine
• Authenticated Option Update Vulnerability in WP Dev Powers: ACF Color Coded Field Types
• Remote Code Execution (RCE) Vulnerability in Kanzu Support Desk
• Authenticated Remote Code Execution (RCE) Vulnerability in Master Popups Lite
• Authenticated Arbitrary File Upload Vulnerability in PollDeep
• Authenticated Option Update Vulnerability in WP Buddha Free Adwords Plugin
• Arbitrary File Upload Vulnerability in WooCommerce Checkout Manager
• Arbitrary File Upload Vulnerability in Zielke Specialized Catalog
• Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in LeaderBoard LITE (LeaderBoard Plugin)
• Authenticated Arbitrary File Viewing Vulnerability in Apply Online
• Authenticated Remote Code Execution (RCE) Vulnerability in Groundhogg
• Cross-Site Request Forgery (CSRF)/Remote Code Execution (RCE) Vulnerability in Groundhogg
• Arbitrary File Upload Vulnerability in SupportCandy
• Authenticated Arbitrary File Upload Vulnerability in Child Themes Helper
• Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) Vulnerability in Social Share Buttons & Analytics by GetSocial.io
• Restricted File Upload Vulnerability in Sooqr Search
• Persistent Cross-Site Scripting (XSS) Vulnerability in Sooqr Search
• Settings Change Vulnerability in Social Warfare
• Persistent Cross-Site Scripting (XSS) Vulnerability in Social Warfare
• Server-Side Request Forgery (SSRF) Vulnerability in Social Warfare
• Persistent Cross-Site Scripting (XSS) Vulnerability in Analytics-Gtag
• Restricted File Upload Vulnerability in Analytics-Gtag
• Cross-Site Request Forgery (CSRF)/Option Update Vulnerability in Estatik
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Newsletter Subscription Plugin for easyping.me
• Authenticated PHP Object Injection Vulnerability in Newsletter Subscription Plugin for easyping.me
• Option Update Vulnerability in Woocommerce User Email Verification
• Restricted File Upload Vulnerability in Accessibility Suite by Online ADA
• Authenticated Arbitrary File Upload Vulnerability in Meta Box
• Authenticated Arbitrary File Upload Vulnerability in Events Made Easy
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Slider by 10Web
• Authenticated Remote Code Execution (RCE) Vulnerability in WP-Stateless
• Cross-Site Request Forgery (CSRF)/Remote Code Execution (RCE) Vulnerability in WP-Stateless
• Authenticated Local File Inclusion (LFI) Vulnerability in Shortcode Factory
• Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) Vulnerability in Shortcode Factory
• Remote Code Execution (RCE) Vulnerability in MailPress
• Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) Vulnerability in Companion Sitemap Generator
• Arbitrary File Upload Vulnerability in JS Job Manager
• Arbitrary File Upload Vulnerability in Buddy Share It Allusers FB YR
• Authenticated Arbitrary File Upload Vulnerability in WP Githuber MD
• Arbitrary File Upload Vulnerability In LearnPress
• Arbitrary File Upload Vulnerability in 3D Product configurator for WooCommerce
• Cross-Site Request Forgery(CSRF)/Option Update Vulnerability in Ultimate CSV Importer
• Authenticated Option Update Vulnerability in Ultimate CSV Importer
• Authenticated Option Update Vulnerability in Essential Content Types
• Authenticated Option Update Vulnerability in Dokan
• Arbitrary File Viewing Vulnerability in WebP Express
• Arbitrary File Viewing Vulnerability in Woocommerce Pay.nl Payment Methods
• Arbitrary File Deletion Vulnerability in Woocommerce Pay.nl Payment Methods
• Restricted File Upload Vulnerability in Woocommerce Pay.nl Payment Methods
• Local File Inclusion (LFI) Vulnerability in WP Payeezy Pay
• Authenticated Option Update Vulnerability in ARMember Lite
• Cross-Site Request Forgery (CSRF)/Option Update Vulnerability in Smart Marketing SMS and Newsletters Forms
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in WatchMan-Site7
• Remote Code Execution (RCE) Vulnerability in PropertyHive
• PHP Object Injection Vulnerability in Anti-Spam by CleanTalk 
• Authenticated PHP Object Injection Vulnerability in WooCommerce Product Feed
• Remote code execution (RCE) Vulnerability in Feedify
• Authenticated PHP Object Injection Vulnerability in Ticketrilla: Client
• Cross-Site Request Forgery (CSRF)/User Import Vulnerability in RSVPMaker for Toastmasters
• Authenticated Arbitrary File Upload Vulnerability in HDInvoice
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in HDInvoice
• Authenticated PHP Object Injection Vulnerability in Blog2Social: Social Media Auto Post & Scheduler
• PHP Object Injection Vulnerability in Events Made Easy
• Authenticated Arbitrary File Upload Vulnerability in Advanced Contact form 7 DB
• Authenticated PHP Object Injection Vulnerability in Woocommerce Aliexpress Dropshipping Lite
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Woocommerce Aliexpress Dropshipping Lite
• Authenticated Arbitrary File Upload Vulnerability in MapSVG Lite
• PHP Object Injection Vulnerability in Advanced Advertising System
• PHP Object Injection Vulnerability in Giveaway Boost
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in wpShopGermany Free
• Authenticated PHP Object Injection Vulnerability in FireDrum Email Marketing
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in FireDrum Email Marketing
• PHP Object Injection Vulnerability in WordPress Survey & Poll
• Arbitrary File Upload Vulnerability in KingComposer
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in WP Docs
• PHP Object Injection Vulnerability in Disc Golf Manager
• PHP Object Injection Vulnerability in DukaPress
• PHP Object Injection Vulnerability in HappyForms
• Authenticated PHP Object Injection Vulnerability in bbPress Move Topics
• Cross-Site Request Forgery/PHP Object Injection Vulnerability in bbPress Move Topics
• PHP Object Injection Vulnerability in WooCommerce Save For Later Cart Enhancement
• PHP Object Injection Vulnerability in WL Katalogsøk
• Authenticated Arbitrary File Upload Vulnerability in Convert Docx2post
• PHP Object Injection Vulnerability in PWAMP
• PHP Object Injection Vulnerability in WP Support Plus Responsive Ticket System
• PHP Object Injection Vulnerability in Swift Help Desk Support Software Ticketing System
• Authenticated PHP Object Injection Vulnerability in Autoship Cloud
• PHP Object Injection Vulnerability in Welcart e-Commerce
• Authenticated Arbitrary File Upload Vulnerability in Church Admin
• Cross-site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Flexible Captcha
• Authenticated Arbitrary File Upload Vulnerability in Vmax Project Manager
• Arbitrary File Upload Vulnerability in Wallable
• Restricted File Upload Vulnerability in Social Articles
• Tweet Sending Vulnerability in TwitterCart
• Authenticated PHP Object Injection Vulnerability in Event List
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Event List
• Cross-Site Request Forgery (CSRF) Vulnerability in Event List
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Shoppable Images Lite
• Arbitrary File Viewing Vulnerability in WP Post Popup
• Cross-Site Scripting Vulnerability in WP Post Popup
• Authenticated Arbitrary File Upload Vulnerability in WordPress Book List
• Information Disclosure Vulnerability in DS.DownloadList
• PHP Object Injection Vulnerability in DS.DownloadList
• PHP Object Injection Vulnerability in TAKETIN To WP Membership
• Arbitrary File Upload Vulnerability in All Post Contact Form
• Authenticated PHP Object Injection Vulnerability in Post Pay Counter
• Authenticated Arbitrary File Upload Vulnerability in Football Pool
• Authenticated PHP Object Injection Vulnerability in Media from FTP
• Arbitrary File Upload Vulnerability in Woocommerce Product Designer
• Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Ginger – EU Cookie Law
• Authenticated PHP Object Injection Vulnerability in Media Library Assistant
• Cross-site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Media Library Assistant
• PHP Object Injection Vulnerability in Booster for WooCommerce
• Authenticated PHP Object Injection Vulnerability in Slimstat Analytics
• Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Traffic Manager
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Participants Database
• Authenticated Information Disclosure Vulnerability in Advanced Contact form 7 DB
• PHP Object Injection Vulnerability in Leaky Paywall
• Arbitrary File Viewing Vulnerability in WP Post Popup
• Authenticated PHP Object Injection Vulnerability in Business Directory Plugin
• PHP Object Injection Vulnerability in Product Reviews
• Persistent Cross-Site Scripting (XSS) Vulnerability in Post Custom Templates Lite
• Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Newsletters
• Information Disclosure Vulnerability in UpiCRM
• Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Salon booking system