The WPCampus Blog

On April 23, the Drupal Association announced “the first-ever virtual DrupalCon” which will take place July 14-17, 2020, the same time period as WPCampus 2020 Online. We felt there is...

The WPCampus community decided to pivot our 2020 in-person event to an online conference and re-scheduled to convene in New Orleans, Louisiana, for WPCampus 2021. WPCampus 2020 Online will take...

The impact of COVID-19 is being felt around the world. While WPCampus 2020 is still four months away, the effects of COVID-19 are rapidly evolving, and the emotional and physical...

A few months ago, The WPCampus community established a redesign working group with the goal of redesigning our community's main website: https://wpcampus.org. It's been an exciting project! The amazing group...

The call for WPCampus 2020 session proposals is open! Join us in New Orleans for our fifth-annual conference and share all of the incredible things you're doing to advance Higher Education...

The WPCampus community is excited to announce that our WPCampus 2020 call for proposals will be opening next week! We’re looking forward to another year of wonderful ideas, demonstrations, brainstorming,...

The WPCampus community is excited to announce the dates for our 2020 in-person conference. When and where Join us July 15-17, 2020 for three days of learning, sharing, and networking...

29 vulnerabilities this week, with 5 needing a fix (with some, possibly,  on the way). The first 3 vulnerabilities in the list are confirmations of possible vulnerabilities from last week....

26 vulnerabilities this week, with 7 needing a fix (with some, possibly,  on the way). Formidable Forms appears for the fourth time in a month, so you may wish to...

27 vulnerabilities this week, with 4 unfixed, but 1 being worked on. WooCommerce PayU India (PayUmoney – PayUbiz) , Instamojo for WooCommerce and DW Mega Menu are all closed and...

Vulnerable Plugins There are eighteen issues this week, with two unfixed, and five where fixes have been committed but aren't showing as available yet in the public repository.  The most...

Vulnerable Plugins There are eighteen issues this week, with eight unfixed.  The most critical this week is an Arbitrary File Upload vulnerability via Cross-Site Request Forgery vulnerability in the Maintenance...

Vulnerable Plugins There are eighteen issues this week, with three unfixed.  The most critical this week are Privilege Escalation vulnerabilities via Unauthenticated Option Update vulnerabilities in the Donations, Booking, Learning...

23 vulnerabilities this week, with 9 unfixed (some are commercial plugins where a change log isn't easily available, some are dot org plugins are being worked on - see the...

27 vulnerabilities this week (which means so far in july we've had 105 issues), with 4 unfixed. It's bad week for cache plugins, with WP Super Cache, WP fastest cache...

Our thanks to Funnelback, HelpJet, Milepost 42, and Sticker Mule for supporting WPCampus 2019.

Our thanks to ACF, DragonTeach, elearningfreak, Happy Prime, LearnDash, Pgogy Webstuff, Platform.sh, and SMILE for supporting WPCampus 2019.

26 issues this week, with 6 so far unfixed - though Advanced CF7 DB (Advanced Contact form 7 DB) seems to be being worked on. All-in-one migration has multiple issues...

Monarx provides an application security solution that protects WordPress websites. We are so grateful to have this company sponsor WPCampus 2019.

Pantheon is a website operations platform for Drupal and WordPress. We are so grateful to have this company as the doctoral sponsor for WPCampus 2019.

Modern Tribe is a digital agency for the modern university. We are so grateful to have this company sponsor WPCampus 2019.

CampusPress has powered WordPress Multisite networks for thousands of schools and universities around the world. WPMU DEV is giving WordPress superpowers to users around the world. We are so happy to have...

Registration for WPCampus 2019 may be closed but no worries! You can still attend many of our amazing sessions virtually. With the exception of workshops, sessions from WPCampus 2019 will...

Vulnerable Plugins There are twenty nine issues this week, with only one unfixed.  The most critical this week are Authenticated (low privileged user) Arbitrary Options Update vulnerability in the One...

Vulnerable Plugins There are twenty four issues this week, with five unfixed.  The most critical this week is an unfixed Authenticated Arbitrary File Upload vulnerability with the MapsSVG Lite plugin...

Vulnerable Plugins There are thirty four issues this week, with four unfixed.  The most critical this week is an unfixed Arbitrary Password Reset vulnerability with the Ultimate Members plugin.  Since...

For the WPCampus 2019 conference, the WPCampus community is excited to spend July 25 - 27 learning, networking, and sharing at Lewis and Clark College in Portland, Oregon. Every year...

Vulnerable Plugins There are twenty issues this week, with three unfixed.  The most critical this week are an Arbitrary Settings Update vulnerability in Real Estate Manager (unfixed), a Cross-Site Request...

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week are two Arbitrary File Upload vulnerabilities in Finale WooCommerce Sale Countdown (fix available) and...

Vulnerable Plugins There are thirteen issues this week, with five unfixed.  The most critical this week is an Arbitrary File Upload vulnerability in Crelly Slider, discovered by NinTechNet. View this...

Vulnerable Plugins There are sixteen issues this week, with two unfixed.  The most critical this week are a privilege escalation issue in Slick Popups and an Unauthenticated Administrator Creation vulnerability...

Vulnerable Plugins There are fifteen issues this week, with five unfixed.  The most critical this week is in WPGraphQL which includes Create administrative users Post comments on articles bypassing article...

The WPCampus community is delighted to announce our official Diversity, Equity, and Inclusion statement. This statement came from a desire by the WPCampus leadership to prioritize issues of equity and...

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week is the Sensitive Information Disclosure, Arbitrary File Deletion, and multiple Cross-Site Scripting vulnerabilities in...

Vulnerable Plugins Twenty-two issues over the last two weeks, with only two issues unfixed. The most critical updates are the Remote Code Execution vulnerability in the plugins W3 Total Cache,...

WPCampus is excited to announce that our accessibility testing vendor, Tenon LLC, will host a public webinar and question-and-answer session to discuss the results of the Gutenberg accessibility audit. The...

In late 2018, WPCampus released a request for proposals to conduct an accessibility audit of the WordPress block editor, also known as Gutenberg. In early 2019, we announced our selection...

Vulnerable Plugins There are nine issues this week, with five unfixed.  The two most critical are an Arbitrary File Upload vulnerability in the WooCommerce Checkout Manager plugin (closed in public...

Vulnerable Plugins Fifteen issues over the last two weeks, with five issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins There are twenty-two items on the list this week, with six unfixed. The issue with the most visibility this week by far, was the controversy surrounding the Pipdig...

We’re excited to officially announce WPCampus 2019! Join us July 25-27 at Lewis & Clark College in Portland, Oregon. About WPCampus 2019 WPCampus is a three-day conference event filled with...

Vulnerable Plugins There are seventeen items on the list this week, with twelve unfixed. View this week's vulnerable plugins list. Other Security News PuTTY released version 0.71 which addresses multiple...

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Unauthenticated Arbitrary wp_options import vulnerability in Easy WP SMTP,...

Hello WPCampus friends! We’re excited to announce that our Call for Proposals for this year’s conference will be opening soon! We’re looking forward to another year of wonderful ideas, demonstrations,...

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Sensitive Information Disclosure/Authenticated Arbitrary File Read vulnerability in Caldera...

Vulnerable Plugins There are twenty items on the list this week, with the vast majority of them related to the Freemius framework disclosure that happened last week.  WPVulnDB also has...

Vulnerable Plugins Seventeen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. We're likely to see many more plugins updated over the next week as...

Vulnerable Plugins Nine disclosures since last week, with all issues fixed. View this week's vulnerable plugins list.

Vulnerable Plugins Twenty-one disclosures since last week, with eight issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Twelve disclosures since last week, with four issues unfixed. The most serious is an Arbitrary File Upload vulnerability in the plugin Slider by 10Web. It appears that the...

Vulnerable Plugins Three disclosures since last week, with all issues fixed. However, right as I was writing this post, WordFence released a post detailing multiple vulnerabilities in the plugin Total...

Vulnerable Plugins Fifteen disclosures over the last two weeks, with twelve issues unfixed. View this week's vulnerable plugins list. The most severe issue from this report is a Confidential Information...

WPCampus is excited to announce our selection of Tenon LLC to conduct an accessibility audit of the Gutenberg content editor. Founded by Karl Groves, Tenon is a leader in the...

Vulnerable Plugins Six disclosures over the last two weeks, with three issues unfixed. View this week's vulnerable plugins list. Luckily, the unfixed vulnerabilities are all in plugins that are fairly...

Vulnerable Plugins Six disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. I won't be doing a report next week due to the holidays.  I'll...

Vulnerable Plugins Thirteen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security News Version 5.0.1 was released earlier this week and corrects...

Vulnerable Plugins Fifteen disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Four issues are critical and should be updated immediately: Redirection for versions 3.6.2...

Vulnerable Plugins There were four disclosures over the last two weeks, with one issue unfixed. View this week's vulnerable plugins list. A weekly report on a Monday?  Yeah.  There were...

Update to this post: Our vendor has been selected and our final fundraising goal has been set at $31,200. You can learn more about the entire project by attending The...

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Quick note that there will not be a report next week due to...

Vulnerable Plugins Eleven disclosures since last week, with three issues unfixed, one unknown. View this week's vulnerable plugins list. Far and away the most serious issue this last week was...

Vulnerable Plugins There were eight disclosures over the last two weeks, with two issues unfixed, one unknown. The disclosures that will affect the most people are the stored cross-site scripting...

Thank you to all who took the time to submit a proposal in response to our RFP for an accessibility audit of the WordPress Gutenberg editor. Our selection committee will...

Vulnerable Plugins There were ten disclosures over the last two weeks, with three issues unfixed. The most serious is an arbitrary file upload vulnerability in the csv2wpec-coupon plugin, which is...

Vulnerable Plugins Seven disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. Other WordPress News Earlier this week, the WordPress core team announced the release date for...

Vulnerable Plugins Eight disclosures since last week, with two issues unfixed, and two unknown. View this week's vulnerable plugins list. Other WordPress Security News There were several reports this week that...

Vulnerable Plugins Ten disclosures since last week, with four issues unfixed, the most serious being an Authenticated Arbitrary File Upload vulnerability in Advanced Contact form 7 DB. View this week's vulnerable...

Vulnerable Plugins Apologies for not sending out a report last week. There were seven disclosures over the last two weeks, with two issues unfixed. View this week's vulnerable plugins list....

Vulnerable Plugins Nine disclosures since last week, with four issues unfixed. Additionally, Ninja Forms has released version 3.3.14 which addresses the CSV Injection vulnerability disclosed last week. View this week's vulnerable plugins list....

Vulnerable Plugins Five disclosures since last week, with four issues unfixed, the most serious being an unfixed CSV Injection vulnerability in Ninja Forms. View this week's vulnerable plugins list. Other...

Vulnerable Plugins Four disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list.  

Vulnerable Plugins Somehow (thankfully) there has been only one public disclosure over the last two weeks: an Unauthenticated Arbitrary File Upload vulnerability in the Ultimate Member plugin that has been...

Vulnerable Plugins Four disclosures since last week, with one issue unfixed, one unsure but assumed unfixed. View this week's vulnerable plugins list. Yes, I know it's not Friday, but I'll...

Vulnerable Plugins Eight disclosures over the last two week, with five issues unfixed, one critical. An authenticated arbitrary file upload vulnerability has been identified in the MapSVGLite plugin that remains unfixed....

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure...

Vulnerable Plugins Ten disclosures over the last two week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security News The big news last week and into...

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure...

Update 20180705: version 4.9.7 has been released and addresses the issue below.  RipsTech (static analysis for PHP) yesterday disclosed an arbitrary file deletion vulnerability in all versions of WordPress.  The...

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure...

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Including this one only because I never imagined someone being...

100+ presentations, two world-class keynotes and a great community. HighEdWeb provides valuable professional development for all who want to explore the unique digital issues facing colleges and universities.

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure...

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure...

Vulnerable Plugins Ten disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other Security Came across a fun little security testing playground.  Allows you to...

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure...

Vulnerable Plugins Seventeen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security Defiant released a whitepaper earlier this week covering a new...

This post is part of a series featuring sponsors from our WPCampus 2018 conference. Events like WPCampus would not be possible without the support of these amazing organizations. Be sure...

Vulnerable Plugins Ten disclosures since last week, with five issues unfixed. View this week's vulnerable plugins list. Other Security News As I mentioned last week, a new malware, dubbed VPNFilter,...

Vulnerable Plugins Six disclosures since last week, with three issues still unfixed. View this week's vulnerable plugins list. WordPress Security New WordFence released an interesting report on Tuesday that showcased...

Vulnerable Plugins Eleven disclosures since last week, with one critical unfixed. KingComposer has an Arbitrary File Upload vulnerability in its current version. You should remove the plugin until the author has...

Vulnerable Plugins Three disclosures since last week, with all three issues unfixed.  WP Google Drive has not been updated in six years and should be replaced, if you haven't already. View...

Vulnerable Plugins Two disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.6 is now in beta, with a tentative official...

Vulnerable Plugins Twelve disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Cross-Site Request Forgery vulnerability disclosed in phpMyAdmin 4.8.0 and earlier...

Vulnerable Plugins Just two disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list.  

Vulnerable Plugins Nine disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Apologies for not getting this report out on Friday. I had other issues...

Vulnerable Plugins Three disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As previously mentioned, v4.9.5 was released on April 3rd.  While...

Vulnerable Plugins Seven disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As noted last week, WordPress version 4.9.5 is scheduled for release...

Vulnerable Plugins Three disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.5 of WordPress is now in beta and has...

Vulnerable Plugins Thirteen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. As with previous weeks, there are a few fairly popular plugins in this...

In addition to this blog post, you can hear more about NC State's GutenDay on the WPCampus Podcast! We were vaguely aware of Gutenberg all through 2017. Our team in...

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's...

Vulnerable Plugins Seven disclosures since last week, with only one issue unfixed. View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this...

Vulnerable Plugins Nine disclosures since last week, with all issues fixed! View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's...

Vulnerable Plugins Eighteen disclosures over the last two weeks, with nine issues unfixed. View the last two weeks' vulnerable plugins list. Other Security News Way back in 2014, Google announced...

As I mentioned on Friday, WordPress version 4.9.3 was released as scheduled Monday mid-day. If you have auto-updates enabled, you might have been surprised to see another WordPress update (4.9.4) come through...

Vulnerable Plugins Seven disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress News WordPress core announced on Tuesday version 4.9.3 will be delayed until...

Vulnerable Plugins Eighteen disclosures since last week, with five issues unfixed. Plus two disclosures (Ninja Popups) that I missed last week. View this week's vulnerable plugins list. WPCampus Online Don't...

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. WordPress Security News Version 4.9.2 was released on Tuesday. It is a security...

Vulnerable Plugins Keep it short and sweet this week: twenty-seven disclosures since last week, with seven issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Ten disclosures over the last two weeks, with four issues unfixed. View this week's vulnerable plugins list. I hope everyone had a wonderful and relaxing holiday break. Unfortunately,...

Vulnerable Plugins Twenty-six disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The most concerning disclosure this week was the discovery by Wordfence that the plugin Captcha...

Vulnerable Plugins Seven disclosures this week, with five issues unfixed. View this week's vulnerable plugins list. Other Security News I've discussed the DorkBot service from UT Austin a couple of...

Vulnerable Plugins Six disclosures this week, with two issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Fifteen disclosures over the last two weeks, with eleven issues unfixed. View this week's vulnerable plugins list. I hope everyone in the State's had a great Thanksgiving last...

Vulnerable Plugins Twenty-two disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The critical updates you should be aware of from this week's list are in...

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week's vulnerable plugins list. The most interesting disclosure this week, in my opinion, is that for the Animated...

Vulnerable Plugins Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet). View this week's vulnerable plugins list. The largest disclosure this...

Version 4.8.3 was just released moments ago. It address a SQL Injection issue discovered by Anthony Ferrara‏  https://twitter.com/ircmaxell/status/923662170092638208 Confirmation from Anthony  https://twitter.com/ircmaxell/status/925366959612538882 WordPress post concerning the update: https://make.wordpress.org/core/2017/10/31/changed-behaviour-of-esc_sql-in-wordpress-4-8-3/ and https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/...

Vulnerable Plugins Nine disclosures this week, with five issues unfixed. View this week's vulnerable plugins list. The largest disclosure this week was most likely the SQL Injection combined with Object...

Vulnerable Plugins Seventeen disclosures over the last two weeks, with six issues unfixed. View this week's vulnerable plugins list. Sorry I wasn't able to get last week's list out on...

Vulnerable Plugins Fourteen disclosures this week, with six issues unfixed, with three of those critical. View this week's vulnerable plugins list. The big news this last week, at least in...

Vulnerable Plugins Eleven disclosures this week, with two issues unfixed, both critical. Both have been removed from the public repository. View this week's vulnerable plugins list. As a point of...

Vulnerable Plugins Fourteen disclosures this week, with five issues unfixed, and one that is critical. View this week's vulnerable plugins list. The critical disclosure this week is an Arbitrary File...

Vulnerable Plugins Eight disclosures this week, with two issues unfixed, and two where I'm not sure. View this week's vulnerable plugins list. The two I'm unsure of this week are...

Vulnerable Plugins Seventeen disclosures this week, with eight issues unfixed. View this week's vulnerable plugins list. Other Security News The big disclosure this week was the breach at Equifax. If...

Vulnerable Plugins Ten disclosures this week, with three issues unfixed. View this week's vulnerable plugin list. The disclosure with the most visibility this week was in WooCommerce Product Vendors, where...

Vulnerable Plugins/Themes Seven disclosures this week, with zero issues unfixed. YAY! View week's vulnerable plugin list.   This week, let's look at the Authenticated, Unauthorized Information Disclosure vulnerability in version...

Vulnerable Plugins/Themes Eleven disclosures this week, with three issues unfixed. View week's vulnerable plugin list. Going to highlight a couple from this week. The first is the discovery by researcher Lenon...

Vulnerable Plugins/Themes Eleven disclosures this week, with two issues unfixed. View this week's vulnerable plugin list. We have one theme joining the list this week: GamePlan - Event and Gym...

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. One of the disclosures is actually from last week that I intended to include...

Vulnerable Plugins It was a busy week while I was away.  Twenty disclosures, with eleven issues unfixed.  In concerns to both Formcraft Form Builder, and Ultimate Affiliate Pro, since they...

Nope, today is not friday (sorry). I'm going to be out-of-town tomorrow so I'm doing this week's report a day early.  I'll also be out next week; as such, there...

Vulnerable Plugins Only four plugins with disclosed vulnerabilities this week, none of which remain unpatched! That's the fewest number of disclosures in a week since I started doing this report.  You'll notice...

Vulnerable Plugins Eight plugins with disclosed vulnerabilities this week, five of which remain unpatched. The most serious is FormCraft which contains two unfixed SQL Injection vulnerabilities.  The packetstorm post mentions...

Vulnerable Plugins This week's list is probably one of the shortest since I started doing these reports: only 6 plugins, with 3 having unfixed vulnerabilities.  Unfortunately, one of them is...

Introduction The weekly list is a collection of plugins and/or themes that have had vulnerabilities disclosed within the last week. I've historically created these weekly vulnerable plugin reports for the WordPress...