For your WordPress protection, be informed about the latest vulnerabilities in WP plugins:
- WP Statistics
- SQL injection reported by Sucuri. Exploit allows to create an admin-level user and sign in to your WordPress as an admin.
- Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows attackers to compromise a WordPress application by tricking an authenticated administrator into clicking on a specially crafted link.
- immediately update to version 12.0.9 to fix both of these vulnerabilities
- Responsive Lightbox
- Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows an attacker to inject arbitrary web script or HTML via unspecified vectors..
- immediately update to version 1.7.2 to fix vulnerability
- DSubscribers
- Authenticated SQL Injection reported by Lenon Leite.
- immediately update to version 1.2.1 to fix vulnerability
- Shortcodes Ultimate
- Authenticated Directory Traversal reported by Dewhurst Security. Exploit allows remote attackers to read arbitrary files via unspecified vectors.
- immediately update to version 4.10.0 to fix vulnerability
- WP-Members
- Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- immediately update to version 3.1.8 to fix vulnerability
- WordPress Download Manager
- Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- Open Redirect reported by Dewhurst Security. Exploit allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- immediately update to version 2.9.51 to fix both of these vulnerabilities
- Enmask Captcha
- Deliberate redirect reported by Sucuri. Hijacking of WP plugin users exploit detailed in our blog: Expired Domain Hijacked WP Plugin Users.
- immediately remove plugin or replace it with another
- Arabic Font
- CSRF & Stored XSS reported by @iamrastating. Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.
- immediately remove plugin or replace it with another
- WP Hide & Security Enhancer
- Arbitrary File Download reported by Dewhurst Security. This allows any visitor to download any file from the WP installation.
- immediately update to version 1.4 to fix vulnerability
- IBPS Online Exam Plugin for WordPress
- Stored XSS on exam input text fields and Blind SQL Injection reported by @sys_secure.
- immediately remove plugin or replace it with another
- YouTube Embed
- Cross-Site Request Forgery (CSRF) reported by Dewhurst Security. This allows unauthenticated attacker to change any setting within the plugin.
- immediately update to version 11.8.2 to fix vulnerability
- Stop User Enumeration
- REST API Bypass reported by Dewhurst Security. This vulnerability allows to perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
- immediately update to version 1.3.9 to fix vulnerability
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!
We're passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.
