For your WordPress protection, be informed about the latest vulnerabilities in WP plugins:
- WP Statistics
- SQL injection reported by Sucuri. Exploit allows to create an admin-level user and sign in to your WordPress as an admin.
- Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows attackers to compromise a WordPress application by tricking an authenticated administrator into clicking on a specially crafted link.
- immediately update to version 12.0.9 to fix both of these vulnerabilities
- Responsive Lightbox
- Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows an attacker to inject arbitrary web script or HTML via unspecified vectors..
- immediately update to version 1.7.2 to fix vulnerability
- DSubscribers
- Authenticated SQL Injection reported by Lenon Leite.
- immediately update to version 1.2.1 to fix vulnerability
- Shortcodes Ultimate
- Authenticated Directory Traversal reported by Dewhurst Security. Exploit allows remote attackers to read arbitrary files via unspecified vectors.
- immediately update to version 4.10.0 to fix vulnerability
- WP-Members
- Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- immediately update to version 3.1.8 to fix vulnerability
- WordPress Download Manager
- Cross-Site Scripting (XSS) reported by Dewhurst Security. Exploit allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- Open Redirect reported by Dewhurst Security. Exploit allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- immediately update to version 2.9.51 to fix both of these vulnerabilities
- Enmask Captcha
- Deliberate redirect reported by Sucuri. Hijacking of WP plugin users exploit detailed in our blog: Expired Domain Hijacked WP Plugin Users.
- immediately remove plugin or replace it with another
- Arabic Font
- CSRF & Stored XSS reported by @iamrastating. Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.
- immediately remove plugin or replace it with another
- WP Hide & Security Enhancer
- Arbitrary File Download reported by Dewhurst Security. This allows any visitor to download any file from the WP installation.
- immediately update to version 1.4 to fix vulnerability
- IBPS Online Exam Plugin for WordPress
- Stored XSS on exam input text fields and Blind SQL Injection reported by @sys_secure.
- immediately remove plugin or replace it with another
- YouTube Embed
- Cross-Site Request Forgery (CSRF) reported by Dewhurst Security. This allows unauthenticated attacker to change any setting within the plugin.
- immediately update to version 11.8.2 to fix vulnerability
- Stop User Enumeration
- REST API Bypass reported by Dewhurst Security. This vulnerability allows to perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.
- immediately update to version 1.3.9 to fix vulnerability
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!