Scroll Top

WP Security: plugin vulnerabilities July

By Csaba, Miklós WP Security WP SERVICES 1 August 2017

For your WordPress protection, be informed about the latest vulnerabilities in WP plugins:

  1. WP Statistics
    • SQL injection reported by Sucuri. Exploit allows to create an admin-level user and sign in to your WordPress as an admin.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows attackers to compromise a WordPress application by tricking an authenticated administrator into clicking on a specially crafted link.
      • immediately update to version 12.0.9 to fix both of these vulnerabilities
  2. Responsive Lightbox
    • Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows an attacker to inject arbitrary web script or HTML via unspecified vectors..
      • immediately update to version 1.7.2 to fix vulnerability
  3. DSubscribers
    • Authenticated SQL Injection reported by Lenon Leite.
      • immediately update to version 1.2.1 to fix vulnerability
  4. Shortcodes Ultimate
    • Authenticated Directory Traversal reported by Dewhurst Security. Exploit allows remote attackers to read arbitrary files via unspecified vectors.
      • immediately update to version 4.10.0 to fix vulnerability
  5. WP-Members
    • Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
      • immediately update to version 3.1.8 to fix vulnerability
  6. WordPress Download Manager
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
    • Open Redirect reported by Dewhurst Security. Exploit allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
      • immediately update to version 2.9.51 to fix both of these vulnerabilities
  7. Enmask Captcha
    • Deliberate redirect reported by Sucuri. Hijacking of WP plugin users exploit detailed in our blog: Expired Domain Hijacked WP Plugin Users.
      • immediately remove plugin or replace it with another
  8. Arabic Font
    • CSRF & Stored XSS reported by @iamrastating. Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.
      • immediately remove plugin or replace it with another
  9. WP Hide & Security Enhancer
    • Arbitrary File Download reported by Dewhurst Security. This allows any visitor to download any file from the WP installation.
      • immediately update to version 1.4 to fix vulnerability
  10. IBPS Online Exam Plugin for WordPress
    • Stored XSS on exam input text fields and Blind SQL Injection reported by @sys_secure.
      • immediately remove plugin or replace it with another
  11. YouTube Embed
    • Cross-Site Request Forgery (CSRF) reported by Dewhurst Security. This allows unauthenticated attacker to change any setting within the plugin.
      • immediately update to version 11.8.2 to fix vulnerability
  12. Stop User Enumeration
    • REST API Bypass reported by Dewhurst Security. This vulnerability allows to perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
      • immediately update to version 1.3.9 to fix vulnerability

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security

Related Posts

WP SECURITY
WP Security: 5 plugin vulnerabilities in July 2018

At your next scheduled WordPress Maintenance, be advised for your WordPress protection about the latest vulnerabilities in WordPress plugins identified and reported publicly this month: Open Graph for Facebook, Google+ and Twitter Card Tags Unauthenticated Cross-Site Scripting (XSS) reported by Thomas Chauchefoin. The software does not neutralize or incorrectly neutralizes…

06 Aug 2018
WP SECURITY
WP Security: plugin vulnerabilities August

For your WordPress protection, be informed about the latest vulnerabilities in WP plugins: AddToAny Share Buttons Conditional Host Header Injection reported by Paul Dannewitz. It’s possible to inject a custom Host-Header, that will be used for building the link, which is going to be shared on Social Media platforms when…

31 Aug 2017
WP SECURITY
WP Security: plugin vulnerabilities June

For your WordPress protection, be informed about the latest vulnerabilities in WP plugins: All-in-One WP Migration Cross-Site Scripting (XSS) reported by Twitter user @0w4ys. Immediately update to version 6.46 to fix the vulnerability. Ultimate Product Catalogue Authenticated SQL Injection reported by Twitter user @log_oscon. Immediately update to version 4.2.3 to…

07 Jul 2017
WP CORE VULNERABILITY 2022
WP Core Vulnerability NOV 2022: 15 bug fixes
01 Nov 2022
WORDPRESS SECURITY
Gamification WILL BOOST your Company’s Culture about WP Security

Gamification WILL BOOST your Company’s Culture about WordPress Security There are always open holes in specific company’s WordPress Security, consisting of but not restricted to: Unpatched systems, reused passwords and misconfigurations. IT professionals and owners always want to fortify their organization’s defences, however regrettably, the rest of the business might…

04 Oct 2019
WP SECURITY
WP Vulnerability SEP 2022 Centralised Abuse Highlights
20 Sep 2022
CLOUD ROI
Still waiting for your CLOUD ROI? You, me and everybody else!
14 Oct 2022
WP SECURITY PLUGIN VULNERABILITIES
20 WP Security Plugin Vulnerabilities MAR 2023
23 Mar 2023
THEMES VULNERABILITY 2022
WP Themes vulnerability MAR 2023: 8 premium risks
06 Mar 2023
WP SECURITY PLUGIN VULNERABILITIES
WP Security Plugin CVE AUG 2023: 113 public risks
29 Aug 2023
WP SECURITY PLUGIN VULNERABILITIES
48 WP Security Plugin Vulnerabilities APR 2022 Threat
15 Apr 2022
THEMES VULNERABILITY 2022
Disempowered WP Security: 3 WP themes vulnerability SEP 2021
10 Nov 2021
WP SECURITY PLUGIN VULNERABILITIES
44 WP Security Plugin Vulnerabilities MAY 2023
22 May 2023
WP SECURITY PLUGIN VULNERABILITIES
44 WP Security Plugin Vulnerabilities JUL 2022 Threat
18 Jul 2022
WP SECURITY
WP Security: 6 plugin vulnerabilities in OCT 2018

WP Security bulletin – OCTOBER 2018 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 6 vulnerabilities in WordPress plugins identified and reported publicly during. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious…

31 Oct 2018
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.