XSS JUL 2021 – Cross-Site Scripting JUL 2021
Tailored WordPress Security Report
Be informed about the latest Cross-Site Scripting JUL 2021, identified and reported publicly. As these XSS JUL 2021 vulnerabilities have a severe negative impact on any WordPress Security, consider our FREE security AUDIT.
An estimated jaw-dropping 3.832.000+ active WordPress installations were susceptible to these attack types, considering only the publicly disclosed and available numbers. The estimated number can increase by 20-25% with premium versions as they are private purchases.
Furthermore, the initial estimation can triple if we consider (1) the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain; and (2) the closed “uncounted” versions remain active on domains already running the plugins, as nobody is maintaining security. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind new / protected areas, possibly exposing other clean WP to different attack types.
It is a mind-boggling 600% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: ALERT: 43 XSS JUN 2021 – Cross-Site Scripting JUN 2021 Blast and 11 XSS – Cross-Site Scripting – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the XSS JUL 2021 category:
Hire security geeks to protect your WP from publicly reported cases of XSS JUL 2021 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
- YouTube Embed, Playlist and Popup – Stored XSS
- WordPress YouTube Embed plugin is useful and convenient plugin to add videos to your WordPress website without coding knowledge.
You can use our plugin for adding videos in widgets, posts, pages, so it mean you can add videos almost everywhere(also you can use our plugin shortcode to add it in header or footer of your website).
Our plugin have some useful features that you’ll need. Here are the features of our plugin. Active installations: 7,000+
- WordPress YouTube Embed plugin is useful and convenient plugin to add videos to your WordPress website without coding knowledge.
- W3 Total Cache – Reflected XSS in Extensions Page
- W3 Total Cache (W3TC) improves the SEO and user experience of your site by increasing website performance and reducing load times by leveraging features like content delivery network (CDN) integration and the latest best practices. Active installations: 1+ million
- ProfilePress – Authenticated Stored XSS
- ProfilePress – Unauthenticated Privilege Escalation
- ProfilePress – Arbitrary File Upload in Image Uploader Component
- ProfilePress – Unauthenticated Cross-Site Scripting
- ProfilePress (formerly WP User Avatar) is a lightweight membership plugin that lets you create beautiful user profiles, member directories and frontend user registration form, login form, password reset and editing profile information. It also allows you to protect sensitive content and control user access. Active installations: 400,000+
- Profile Builder – Authenticated Stored XSS
- Profile Builder – Admin Access via Password Reset Bug
- Easy to use user profile plugin for creating front-end login, user registration and edit profile forms by using shortcodes. Active installations: 60,000+
- Community Event – Reflected XSS
- The purpose of this plugin is to allow users to create a schedule of upcoming events and display events for the next 7 days in an AJAX-driven box or displaying a full list of upcoming events. Active installations: 90+
- Popular Brand SVG Icons – Stored XSS
- Add popular brand icons to WordPress with ease. Use these high quality SVG icons anywhere on your WordPress site, set the color and size using attributes. Active installations: 5,000+
- WP HTML Mail – CSRF to XSS
- Custom designed WordPress emails for your WooCommerce and EDD transactional emails, contact form notifications, your WordPress core emails, BuddyPress and many more. Active installations: 20,000+
- Leaflet Map – Arbitrary Settings Update via CSRF Leading to Stored XSS
- Add a map generated with LeafletJS: an open-source JavaScript library for mobile-friendly interactive maps. Map tiles are provided by default through OpenStreetMap, or MapQuest (with an app key). Can be set per map with shortcode attributes or through the dashboard settings. Active installations: 20,000+
- Wr Age Verification – Reflected Cross-Site Scripting (XSS)
- These days many websites offer services for a certain group of age means they allow only a certain age of people to visit their websites. So they use such an age verification plugin that confirms the user’s age and then automatically control the age of your website visitors and also restricted them from underage people. This plugin is useful in certain industries such as alcohol, gambling, and other irrelevant website content for children. For such help, Webriderz age verification is the most reliable one in the upcoming days. Active installations: 10+
- Page View Counts – Contributor+ Stored Cross-Site Scripting (XSS)
- A beautifully simple to set up plugin that gives site visitors and site owners the ability to quickly and easily see how many people have visited that page or post. Active installations: 20,000+
- Frontend File Manager – Privilege Escalation
- Frontend File Manager – Unauthenticated Content Injection and Stored XSS
- Frontend File Manager – Authenticated Arbitrary Settings Change to Arbitrary File Upload
- Frontend File Manager – Unauthenticated Arbitrary Post Deletion
- Frontend File Manager – Unauthenticated Post Meta Change to Arbitrary File Download
- Frontend File Manager – Unauthenticated HTML Injection
- This plugin lets the wordpress site users to upload files for admin. Each file is saved in private directory so each user can download/delete their own files after login. Active installations: 2,000+
- Stock in & out – Authenticated SQL Injection
- Stock in & out – Reflected Cross-Site Scripting (XSS)
- This plugin has been closed as of April 29, 2022 and is not available for download. Reason: Security Issue.
- WP Google Map – Authenticated Stored Cross-Site Scripting (XSS)
- WP Google Map is an awesome plugin to use when adding a custom Google map to your website. It is fully customizable and can be used as shortcode. Active installations: 30,000+
- 10Web Map Builder for Google Maps – Authenticated Stored XSS
- 10Web Map Builder for Google Maps combines quality and simplicity, offering you an easy way to add unlimited Maps to your website. It’s an out of the box solution with some powerful functionality and additional customization options. The plugin is distinguished for its feature-packed free version, offering what are usually premium features absolutely free, such as unlimited number of responsive maps, geolocation feature, store locator, layers, unlimited markers, and more. Another great thing about it is that it features an intuitive builder, letting you customize your maps and preview the changes immediately with the live preview option. For additional quality features like marker icon builder, directions, skins and themes, marker listing and multi-level marker categories there is the premium version, which will let you further personalize your maps. Plugin uses clean code, which guarantees smooth operation and compatibility with any WordPress theme. Active installations: 10,000+
- Video Posts Webcam Recorder – Authenticated Reflected XSS
- Allow access to webcam and microphone when prompted by browser, to enable recording. Select Video/Audio mode (preconfigurable from settings), use Start/Stop buttons to record. Then you can playback preview, download recording or sent to server, or discard and retry. Active installations: 100+
- WPFront Notification Bar – Authenticated Stored XSS
- Want to display a notification about a promotion or a news? WPFront Notification Bar plugin lets you do that easily. Active installations: 60,000+
- Form Maker by 10Web – Authenticated Stored XSS
- Form Maker is the leading drag & drop plugin for building forms of any complexity in just a few clicks. Active installations: 90,000+
- Current Book – Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of July 15, 2022 and is not available for download. This closure is temporary, pending a full review.
- ECPay Logistics for WooCommerce – Unauthenticated Reflected XSS
- 綠界科技物流外掛套件,提供合作特店以及個人會員使用開放原始碼商店系統時,無須自行處理複雜的檢核,直接透過安裝設定外掛套件,便可以較快速的方式介接綠界科技的物流系統。 Active installations: 2,000+
- Event Espresso Core – Reflected Cross-Site Scripting (XSS)
- Event managers can control every aspect of their event–or automate it all–to make their event registration fit their situation, be successful and profitable. Active installations: 40,000+
- VDZ CALLBACK – Authenticated Stored XSS
- Simple CallBack Shortcode with customization and phone mask. Compatible with Bootstrap / Foundation / WPML / Polylang. SEND events to Google Analytics. Active installations: 5,000+
- Wonder PDF Embed – Contributor+ Stored XSS
- WonderPlugin PDF Embed is a plugin to embed and display PDF files on your WordPres website by using Mozilla’s PDF.js. Active installations: 10,000+
- Wonder Video Embed – Contributor+ Stored XSS
- WonderPlugin Video Embed is an easy and powerful way to add videos to your WordPress. You can embed your video to the sidebar widget, WordPress posts and pages. It supports YouTube, Vimeo, Wistia and self-hosted MP4/WebM videos. The video player is fully responsive and works on iPhone, iPad, Android, Chrome, Firefox, Safari, Opera. Active installations: 8,000+
- VikRentCar Car Rental Management System – Authenticated Stored Cross-Site Scripting (XSS)
- The popular car rental management system is now available also for WordPress as a Native Plugin! Active installations: 800+
- YouTube Embed – Contributor+ Stored XSS
- YouTube Embed is an incredibly fast, simple, yet powerful, method of embedding YouTube videos into your WordPress site. Active installations: 10,000+
- My Site Audit – Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pending a full review.
- Social Tape – CSRF to Stored XSS
- This plugin has been closed as of June 15, 2022 and is not available for download. This closure is temporary, pending a full review.
- Telugu Bible Verse Daily – CSRF to Stored XSS
- This plugin has been closed as of June 14, 2022 and is not available for download. This closure is temporary, pending a full review.
- Verse-O-Matic – CSRF to Stored XSS
- This plugin has been closed as of June 23, 2022 and is not available for download. This closure is temporary, pending a full review.
- Custom Login Redirect – CSRF to Stored XSS
- This plugin has been closed as of June 14, 2022 and is not available for download. This closure is temporary, pending a full review.
- Light Messages – CSRF to Stored XSS
- This plugin has been closed as of June 9, 2022 and is not available for download. This closure is temporary, pending a full review.
- PhoneTrack Meu Site Manager – Authenticated Stored XSS
- This plugin has been closed as of June 1, 2022 and is not available for download. Reason: Security Issue.
- Photo Gallery – Stored XSS via Uploaded SVG in Zip
- Photo Gallery – Stored Cross-Site Scripting via Uploaded SVG
- Photo Gallery – File Upload Path Traversal
- Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+
- Mimetic Books – Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of July 19, 2022 and is not available for download. This closure is temporary, pending a full review.
- Cooked Pro – Unauthenticated Reflected Cross-Site Scripting (XSS)
- This plugin has been closed as of July 4, 2022 and is not available for download. Reason: Security Issue.
- KN Fix Your Title – Authenticated Stored XSS
- This plugin has been closed as of July 20, 2022 and is not available for download. This closure is temporary, pending a full review.
- Maintenance – Authenticated Stored XSS
- Maintenance plugin allows the WordPress site administrator to close the website for maintenance, enable “503 Service temporarily unavailable”, set a temporary page with authorization, which can be edited via the plugin settings. Easy customize the good look on all devices. Add your logo, background image, select the desired color, add text. Active installations: 600,000+
- Grid Gallery – Unauthenticated Reflected Cross-Site Scripting (XSS)
- There are dozens of “Grid Gallery” out there, but the problem is that they always work the same! Grid Gallery uses a brand new algorithm to make much more interesting image grids, how does it work? Active installations: 700+
- WP Custom Fields Search – Unauthenticated Reflected Cross-Site Scripting (XSS)
- With this you can give your readers the ability to search and filter your posts / catalogue to quickly find the information they need. Any custom fields you have added to your posts can be made searchable as well as the core post fields like title, author, categories etc. Configurable input widgets allow you to customise the form further to build exactly the search you need for your site. Active installations: 4,000+
- Google Language Translator – Authenticated Cross-Site Scripting (XSS)
- GTranslate is a leading website translation services provider since 2008 and powers more than 500.000 multilingual websites worldwide. Active installations: 100,000+
- Charitable – Donation Plugin – Authenticated Stored Cross-Site Scripting (XSS)
- Charitable – Donation Plugin – Unauthenticated Stored Cross-Site Scripting (XSS)
- We believe that collecting online donations should be easy and affordable. That’s why Charitable is the only powerful WordPress donation plugin that never charges transaction fees. Active installations: 10,000+
- Simple Post – Authenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of July 23, 2022 and is not available for download. This closure is temporary, pending a full review.
- GTranslate – Reflected Cross-Site Scripting (XSS)
- Translate WordPress with GTranslate plugin uses Google Translate automatic translation service to translate wordpress site with Google power and make it multilingual. With 103 available languages your site will be available to more than 99% of internet users. Our paid versions are fully SEO compatible which will increase your international traffic and sales. This translate plugin is a budget multilingual WordPress solution which combines automatic and human translations to save money and is easy to implement. Active installations: 300,000+
- Email Subscriber – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 19, 2022 and is not available for download. Reason: Security Issue.
- Paid Membership Pro – Cross-Site Scripting
- Paid Memberships Pro gives you all the tools you need to start, manage, and grow your membership site. The plugin is designed for premium content sites, clubs/associations, subscription products, newsletters and more. Active installations: 100,000+
- Event Calendar WD – Cross-Site Scripting
- Event Calendar WD is the most powerful plugin to create events and organize them into calendars. Active installations: 20,000+
- Yada Wiki – Stored Cross-Site Scripting
- Yada Wiki provides a wiki post type, custom tags and categories, an index, and a table of contents option. The plugin allows you to link your wiki pages together using the wiki page titles. Active installations: 2,000+
- ProfilePress – Authenticated Stored XSS
- ProfilePress – Unauthenticated Privilege Escalation
- ProfilePress – Arbitrary File Upload in Image Uploader Component
- ProfilePress – Unauthenticated Cross-Site Scripting
- ProfilePress (formerly WP User Avatar) is a lightweight membership plugin that lets you create beautiful user profiles, member directories and frontend user registration form, login form, password reset and editing profile information. It also allows you to protect sensitive content and control user access. Active installations: 400,000+
- Tutor LMS – Authenticated Stored Cross-Site Scripting
- Tutor is a complete, feature-packed and robust WordPress LMS plugin to create & sell courses online easily. All the features of this learning management system hits all the checkpoints for a full-fledged online course marketplace. You can create challenging and fun quizzes, interactive lessons, powerful reports and stats making Tutor potentially the best free WordPress LMS plugin. Manage, administer and monetize your education, online school, and online courses without having to write a single line of code. Active installations: 30,000+
- Youzify – Stored Cross-Site Scripting via Biography
- Youzify (formerly Youzer) is the number one BuddyPress plugin on Envato Market, and thousands of customers agree that it takes your online community to the next level. This advanced and feature-rich plugin has the power to showcase your unique brand experience and immerse your users in a dynamic community of loyal and engaged customers that propels your business forwards. Active installations: 5,000+
- Any Hostname – Authenticated Stored Cross-Site Scripting
- This plugin has been closed as of May 28, 2022 and is not available for download. Reason: Security Issue.
- Event Geek – Stored Cross-site Scripting
- This plugin has been closed as of May 27, 2022 and is not available for download. Reason: Security Issue.
- DrawBlog – Authenticated Stored Cross-Site Scripting
- This plugin has been closed as of May 27, 2022 and is not available for download. Reason: Security Issue.
- Bookshelf – Authenticated Stored Cross-Site Scripting
- This plugin has been closed as of May 25, 2022 and is not available for download. Reason: Security Issue.
- Migrate Users – CSRF to Stored Cross-Site Scripting
- This plugin has been closed as of May 25, 2022 and is not available for download. Reason: Security Issue.
- Steam Group Viewer – Authenticated Stored Cross-Site Scripting
- This plugin has been closed as of May 25, 2022 and is not available for download. Reason: Security Issue.
- Awesome Weather Widget – Authenticated Stored Cross-Site Scripting
- This plugin has been closed as of June 7, 2022 and is not available for download. This closure is temporary, pending a full review.
- Post Grid – Reflected Cross-Site Scripting
- Almost everything is ready to create post grid from any post types, with few click you can generate beautiful grid for your blog post, product showcase, team member showcase, portfolio, gallery, archive post display, category post display, tags post display and custom taxonomy and terms post can be displayed via post grid. if you have basic knowledge in CSS you can style your own via layout editor to create unique style of your grid. Active installations: 70,000+
- Portfolio Responsive Gallery – Authenticated Blind SQL Injections
- Portfolio Responsive Gallery – Reflected Cross-Site Scripting
- We suggest portfolio plugin for companies, designers, photographers, artists, freelancers etc. Our offered plugin will give you an opportunity to present your work maximal attractive and meaningful. Through our offered plugin you get a chance to unite several projects with their many photos and descriptions. As all of this is being done from our page, it becomes very easy to use our offered plugin. You can make unlimited quantity portfolios, which will include in them unlimited quantity projects. All portfolios and projects are being done separately, thanks to it you can create unique and different views in the same site.
It is very easy to use this great plugin, you only need to upload photos and to write short descriptions, after which to copy the automatic shortcode and to add it in your post or page. Active installations: 10+
- We suggest portfolio plugin for companies, designers, photographers, artists, freelancers etc. Our offered plugin will give you an opportunity to present your work maximal attractive and meaningful. Through our offered plugin you get a chance to unite several projects with their many photos and descriptions. As all of this is being done from our page, it becomes very easy to use our offered plugin. You can make unlimited quantity portfolios, which will include in them unlimited quantity projects. All portfolios and projects are being done separately, thanks to it you can create unique and different views in the same site.
- Popup box – Authenticated Blind SQL Injections
- Popup box – Reflected Cross-Site Scripting
- Surely you think of having a responsive Popup, so it will work the same way on computers, smartphones and all other devices used by the visitors. Active installations: 2,000+
- Survey Maker – Authenticated Blind SQL Injections
- Survey Maker – Reflected Cross-Site Scripting
- The Survey Maker plugin is a powerful, yet easy-to-use WordPress plugin designed for collecting data from a particular group of people and analyze it. You just need to write a list of questions, configure the settings, save and paste the shortcode of the survey into your website. Active installations: 100+
- Popup Like box – Page Plugin – Authenticated Blind SQL Injections
- Popup Like box – Page Plugin – Reflected Cross-Site Scripting
- With the help of this amazing plugin you can promote your Facebook page and add number of Likes , which is very important today. When someone visits your website, plugin opens popup box with your facebook page likebox. It has many types of parameters, which make it multifunctional and useful. Active installations: 400+
- Photo Gallery by Ays – Authenticated Blind SQL Injections
- Photo Gallery by Ays – Reflected Cross-Site Scripting
- Our free WordPress Photo Gallery is a cool responsive image gallery plugin with awesome layout options, stunning gallery and album views, designed with features that allow you not to just show photos in a beautiful way but to deliver the message hidden in them. Active installations: 300+
- Image Slider by Ays – Authenticated Blind SQL Injections
- Image Slider by Ays – Reflected Cross-Site Scripting
- Ays image slider is a progressive slider plugin, which is a great way to grab your audience’s attention with amazing and entertaining slideshows. Many customization options and a lot of cool effects makes this image slider stand out. The plugin allows you to add unlimited number of slides and customize the settings using different professional slider options. Active installations: 20+
- WP Offload SES Lite – Stored Cross-Site Scripting
- Are your WordPress site emails not being delivered? That’s pretty common. Over 20,000 sites trust WP Offload SES Lite to send their site email. WordPress’ default email sending functions just don’t cut it these days. You absolutely need to set up something more. Active installations: 30,000+
- WP SMS – Reflected Cross-Site Scripting
- By WP SMS you can add the ability of SMS sending to your WordPress product. So you can send SMS to your newsletter subscribers or your users and get their attentions to your site and products. Active installations: 8,000+
- TaxoPress – Authenticated Stored Cross-Site Scripting
- TaxoPress allows you to create and manage Tags, Categories and all your WordPress taxonomy terms. With the TaxoPress plugin, you can build new taxonomies, and any taxonomy to different post types. Active installations: 80,000+
- Fontsampler – CSRF to Authenticated Reflected Cross-Site Scripting
- This is a plugin directed primarily at type designers, lettering artists, foundries or resellers using WordPress to showcase their fonts without the need for coding knowledge. Active installations: 900+
- WP LMS – Stored Cross-Site Scripting
- WP Learn Manager is extensive, featured rich and comprehensive learning management system for WordPress. WP Learn Manager comes with a lots of features like course list, course search with many filters, create course, create lectures, Add Quizzes, take lectures, enrollment, shortlist courses, Messaging, Social logins, Social sharing, Awards and many more. Active installations: 90+
- Cooked – Recipe Plugin – Unauthenticated Reflected Cross-Site Scripting
- Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized (rich snippets), galleries, cooking timers, printable recipes and much more. Active installations: 8,000+
- Calendar Event Multi View – Unauthenticated Reflected Cross-Site Scripting
- The Calendar Event Multi View is an event calendar for WordPress websites that features multiple visualization modes and multiple predefined styles. Active installations: 2,000+
- Magic Post Thumbnail – Reflected Cross-Site Scripting
- Automatically generate thumbnails & images for your posts ! Retrieve images from Google Images, Flickr or Pixabay thanks to API, based on your post title, text analysis and much more. The plugin add picture as your featured thumbnail or inside the post when you publish the post. Active installations: 9,000+
- Forms – Authenticated Stored Cross-Site Scripting
- Forms is an easy form manager that lets you manage all your cool forms. Creating your own contact form or newsletter subscriber is easy. Active installations: 30+
- Marmoset Viewer – Reflected Cross-Site Scripting
- Allows you to embed Marmoset Toolbag mview files, allowing people to view your models in all their glory. Active installations: 600+
- Photo Gallery – Stored XSS via Uploaded SVG in Zip
- Photo Gallery – Stored Cross-Site Scripting via Uploaded SVG
- Photo Gallery – File Upload Path Traversal
- Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+
- NewsPlugin – CSRF to Stored Cross-Site Scripting
- This plugin has been closed as of July 20, 2022 and is not available for download. This closure is temporary, pending a full review.
- Edit Comments – Unauthenticated SQL Injection
- Edit Comments – Reflected Cross-Site Scripting
- This plugin has been closed as of June 2, 2022 and is not available for download. Reason: Security Issue.
Stay Healthy! A healthier online business starts today and it begins with you. Hire security experts to solve all your XSS JUL 2021 issues.
BRIEF: Cross-Site Scripting JUL 2021 is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
What is Cross-Site Scripting JUL 2021?
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
What is the impact of a XSS JUL 2021 attack?
The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:
– In a simple public application, where all users are anonymous and all information is public, the impact will often be minimal. Nothing else to steal.
– In an application holding sensitive or private/personal data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
– If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users, owners and their data.
What kind of XSS attacks are exploited?
– Reflected XSS, where the malicious script comes from the current HTTP request.
– Stored XSS, where the malicious script comes from the website’s database.
– DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.
CONTACT US TODAY with any reported XSS JUL 2021 vulnerability! Do you suspect any Cross-Site Scripting in your WordPress?
