Scroll Top

WP Security: 5 plugin vulnerabilities in July 2018

WP SECURITY: 5 PLUGIN VULNERABILITIES IN JULY 2018

At your next scheduled WordPress Maintenance, be advised for your WordPress protection about the latest vulnerabilities in WordPress plugins identified and reported publicly this month:


  1. Open Graph for Facebook, Google+ and Twitter Card Tags
    • Unauthenticated Cross-Site Scripting (XSS) reported by Thomas Chauchefoin. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • WordPress Maintenance recommendation: immediately upgrade to version 2.2.4.2 to fix the vulnerability

  2. All In One Favicon
    • Unauthenticated Cross-Site Scripting (XSS) reported by Javier Olmedo (https://hackpuntes.com). Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text.
      • WordPress Maintenance recommendation: immediately upgrade to version 4.7 to fix the vulnerability

  3. Geo Mashup
    • Unspecified Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of the post editor and other user input.
      • WordPress Maintenance recommendation: immediately upgrade to version 1.10.4 to fix the vulnerability

  4. Our only security is our ability to change. ~ John Lilly


  5. Multi Step Form
    • Unauthenticated Cross-Site Scripting (XSS) reported by Javier Olmedo (https://hackpuntes.com). WordPress Plugin Multi-Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, with the use of CSRF.
      • WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin was closed on July 30, 2018 and is no longer available for download.

  6. Snazzy Maps
    • Unspecified Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). During the security audit of Snazzy Maps plugin for WordPress CMS, multiple Cross-Site Scripting (XSS) vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform.
      • WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin was closed on July 29, 2018 and is no longer available for download.

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

We're passionate about helping you grow and make your impact

Continue being informed



Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.

Related Posts

owlpower.eu
×