Community Blog posts about Security

29 vulnerabilities this week, with 5 needing a fix (with some, possibly,  on the way). The first 3 vulnerabilities in the list are confirmations of possible vulnerabilities from last week....

26 vulnerabilities this week, with 7 needing a fix (with some, possibly,  on the way). Formidable Forms appears for the fourth time in a month, so you may wish to...

27 vulnerabilities this week, with 4 unfixed, but 1 being worked on. WooCommerce PayU India (PayUmoney – PayUbiz) , Instamojo for WooCommerce and DW Mega Menu are all closed and...

Vulnerable Plugins There are eighteen issues this week, with two unfixed, and five where fixes have been committed but aren't showing as available yet in the public repository.  The most...

Vulnerable Plugins There are eighteen issues this week, with eight unfixed.  The most critical this week is an Arbitrary File Upload vulnerability via Cross-Site Request Forgery vulnerability in the Maintenance...

Vulnerable Plugins There are eighteen issues this week, with three unfixed.  The most critical this week are Privilege Escalation vulnerabilities via Unauthenticated Option Update vulnerabilities in the Donations, Booking, Learning...

23 vulnerabilities this week, with 9 unfixed (some are commercial plugins where a change log isn't easily available, some are dot org plugins are being worked on - see the...

27 vulnerabilities this week (which means so far in july we've had 105 issues), with 4 unfixed. It's bad week for cache plugins, with WP Super Cache, WP fastest cache...

26 issues this week, with 6 so far unfixed - though Advanced CF7 DB (Advanced Contact form 7 DB) seems to be being worked on. All-in-one migration has multiple issues...

Vulnerable Plugins There are twenty nine issues this week, with only one unfixed.  The most critical this week are Authenticated (low privileged user) Arbitrary Options Update vulnerability in the One...

Vulnerable Plugins There are twenty four issues this week, with five unfixed.  The most critical this week is an unfixed Authenticated Arbitrary File Upload vulnerability with the MapsSVG Lite plugin...

Vulnerable Plugins There are thirty four issues this week, with four unfixed.  The most critical this week is an unfixed Arbitrary Password Reset vulnerability with the Ultimate Members plugin.  Since...

Vulnerable Plugins There are twenty issues this week, with three unfixed.  The most critical this week are an Arbitrary Settings Update vulnerability in Real Estate Manager (unfixed), a Cross-Site Request...

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week are two Arbitrary File Upload vulnerabilities in Finale WooCommerce Sale Countdown (fix available) and...

Vulnerable Plugins There are thirteen issues this week, with five unfixed.  The most critical this week is an Arbitrary File Upload vulnerability in Crelly Slider, discovered by NinTechNet. View this...

Vulnerable Plugins There are sixteen issues this week, with two unfixed.  The most critical this week are a privilege escalation issue in Slick Popups and an Unauthenticated Administrator Creation vulnerability...

Vulnerable Plugins There are fifteen issues this week, with five unfixed.  The most critical this week is in WPGraphQL which includes Create administrative users Post comments on articles bypassing article...

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week is the Sensitive Information Disclosure, Arbitrary File Deletion, and multiple Cross-Site Scripting vulnerabilities in...

Vulnerable Plugins Twenty-two issues over the last two weeks, with only two issues unfixed. The most critical updates are the Remote Code Execution vulnerability in the plugins W3 Total Cache,...

Vulnerable Plugins There are nine issues this week, with five unfixed.  The two most critical are an Arbitrary File Upload vulnerability in the WooCommerce Checkout Manager plugin (closed in public...

Vulnerable Plugins Fifteen issues over the last two weeks, with five issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins There are twenty-two items on the list this week, with six unfixed. The issue with the most visibility this week by far, was the controversy surrounding the Pipdig...

Vulnerable Plugins There are seventeen items on the list this week, with twelve unfixed. View this week's vulnerable plugins list. Other Security News PuTTY released version 0.71 which addresses multiple...

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Unauthenticated Arbitrary wp_options import vulnerability in Easy WP SMTP,...

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Sensitive Information Disclosure/Authenticated Arbitrary File Read vulnerability in Caldera...

Vulnerable Plugins There are twenty items on the list this week, with the vast majority of them related to the Freemius framework disclosure that happened last week.  WPVulnDB also has...

Vulnerable Plugins Seventeen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. We're likely to see many more plugins updated over the next week as...

Vulnerable Plugins Nine disclosures since last week, with all issues fixed. View this week's vulnerable plugins list.

Vulnerable Plugins Twenty-one disclosures since last week, with eight issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Twelve disclosures since last week, with four issues unfixed. The most serious is an Arbitrary File Upload vulnerability in the plugin Slider by 10Web. It appears that the...

Vulnerable Plugins Three disclosures since last week, with all issues fixed. However, right as I was writing this post, WordFence released a post detailing multiple vulnerabilities in the plugin Total...

Vulnerable Plugins Fifteen disclosures over the last two weeks, with twelve issues unfixed. View this week's vulnerable plugins list. The most severe issue from this report is a Confidential Information...

Vulnerable Plugins Six disclosures over the last two weeks, with three issues unfixed. View this week's vulnerable plugins list. Luckily, the unfixed vulnerabilities are all in plugins that are fairly...

Vulnerable Plugins Six disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. I won't be doing a report next week due to the holidays.  I'll...

Vulnerable Plugins Thirteen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security News Version 5.0.1 was released earlier this week and corrects...

Vulnerable Plugins Fifteen disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Four issues are critical and should be updated immediately: Redirection for versions 3.6.2...

Vulnerable Plugins There were four disclosures over the last two weeks, with one issue unfixed. View this week's vulnerable plugins list. A weekly report on a Monday?  Yeah.  There were...

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Quick note that there will not be a report next week due to...

Vulnerable Plugins Eleven disclosures since last week, with three issues unfixed, one unknown. View this week's vulnerable plugins list. Far and away the most serious issue this last week was...

Vulnerable Plugins There were eight disclosures over the last two weeks, with two issues unfixed, one unknown. The disclosures that will affect the most people are the stored cross-site scripting...

Vulnerable Plugins There were ten disclosures over the last two weeks, with three issues unfixed. The most serious is an arbitrary file upload vulnerability in the csv2wpec-coupon plugin, which is...

Vulnerable Plugins Seven disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. Other WordPress News Earlier this week, the WordPress core team announced the release date for...

Vulnerable Plugins Eight disclosures since last week, with two issues unfixed, and two unknown. View this week's vulnerable plugins list. Other WordPress Security News There were several reports this week that...

Vulnerable Plugins Ten disclosures since last week, with four issues unfixed, the most serious being an Authenticated Arbitrary File Upload vulnerability in Advanced Contact form 7 DB. View this week's vulnerable...

Vulnerable Plugins Apologies for not sending out a report last week. There were seven disclosures over the last two weeks, with two issues unfixed. View this week's vulnerable plugins list....

Vulnerable Plugins Nine disclosures since last week, with four issues unfixed. Additionally, Ninja Forms has released version 3.3.14 which addresses the CSV Injection vulnerability disclosed last week. View this week's vulnerable plugins list....

Vulnerable Plugins Five disclosures since last week, with four issues unfixed, the most serious being an unfixed CSV Injection vulnerability in Ninja Forms. View this week's vulnerable plugins list. Other...

Vulnerable Plugins Four disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list.  

Vulnerable Plugins Somehow (thankfully) there has been only one public disclosure over the last two weeks: an Unauthenticated Arbitrary File Upload vulnerability in the Ultimate Member plugin that has been...

Vulnerable Plugins Four disclosures since last week, with one issue unfixed, one unsure but assumed unfixed. View this week's vulnerable plugins list. Yes, I know it's not Friday, but I'll...

Vulnerable Plugins Eight disclosures over the last two week, with five issues unfixed, one critical. An authenticated arbitrary file upload vulnerability has been identified in the MapSVGLite plugin that remains unfixed....

Vulnerable Plugins Ten disclosures over the last two week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security News The big news last week and into...

Update 20180705: version 4.9.7 has been released and addresses the issue below.  RipsTech (static analysis for PHP) yesterday disclosed an arbitrary file deletion vulnerability in all versions of WordPress.  The...

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Including this one only because I never imagined someone being...

Vulnerable Plugins Ten disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other Security Came across a fun little security testing playground.  Allows you to...

Vulnerable Plugins Seventeen disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress Security Defiant released a whitepaper earlier this week covering a new...

Vulnerable Plugins Ten disclosures since last week, with five issues unfixed. View this week's vulnerable plugins list. Other Security News As I mentioned last week, a new malware, dubbed VPNFilter,...

Vulnerable Plugins Six disclosures since last week, with three issues still unfixed. View this week's vulnerable plugins list. WordPress Security New WordFence released an interesting report on Tuesday that showcased...

Vulnerable Plugins Eleven disclosures since last week, with one critical unfixed. KingComposer has an Arbitrary File Upload vulnerability in its current version. You should remove the plugin until the author has...

Vulnerable Plugins Three disclosures since last week, with all three issues unfixed.  WP Google Drive has not been updated in six years and should be replaced, if you haven't already. View...

Vulnerable Plugins Two disclosures since last week, with zero issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.6 is now in beta, with a tentative official...

Vulnerable Plugins Twelve disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other Security News Cross-Site Request Forgery vulnerability disclosed in phpMyAdmin 4.8.0 and earlier...

Vulnerable Plugins Just two disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list.  

Vulnerable Plugins Nine disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Apologies for not getting this report out on Friday. I had other issues...

Vulnerable Plugins Three disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As previously mentioned, v4.9.5 was released on April 3rd.  While...

Vulnerable Plugins Seven disclosures since last week, with one issue unfixed. View this week's vulnerable plugins list. Other WordPress News As noted last week, WordPress version 4.9.5 is scheduled for release...

Vulnerable Plugins Three disclosures since last week, with two issues unfixed. View this week's vulnerable plugins list. Other WordPress News Version 4.9.5 of WordPress is now in beta and has...

Vulnerable Plugins Thirteen disclosures since last week, with four issues unfixed. View this week's vulnerable plugins list. As with previous weeks, there are a few fairly popular plugins in this...

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's...

Vulnerable Plugins Seven disclosures since last week, with only one issue unfixed. View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this...

Vulnerable Plugins Nine disclosures since last week, with all issues fixed! View this week's vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week's...

Vulnerable Plugins Eighteen disclosures over the last two weeks, with nine issues unfixed. View the last two weeks' vulnerable plugins list. Other Security News Way back in 2014, Google announced...

As I mentioned on Friday, WordPress version 4.9.3 was released as scheduled Monday mid-day. If you have auto-updates enabled, you might have been surprised to see another WordPress update (4.9.4) come through...

Vulnerable Plugins Seven disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. Other WordPress News WordPress core announced on Tuesday version 4.9.3 will be delayed until...

Vulnerable Plugins Eighteen disclosures since last week, with five issues unfixed. Plus two disclosures (Ninja Popups) that I missed last week. View this week's vulnerable plugins list. WPCampus Online Don't...

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week's vulnerable plugins list. WordPress Security News Version 4.9.2 was released on Tuesday. It is a security...

Vulnerable Plugins Keep it short and sweet this week: twenty-seven disclosures since last week, with seven issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Ten disclosures over the last two weeks, with four issues unfixed. View this week's vulnerable plugins list. I hope everyone had a wonderful and relaxing holiday break. Unfortunately,...

Vulnerable Plugins Twenty-six disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The most concerning disclosure this week was the discovery by Wordfence that the plugin Captcha...

Vulnerable Plugins Seven disclosures this week, with five issues unfixed. View this week's vulnerable plugins list. Other Security News I've discussed the DorkBot service from UT Austin a couple of...

Vulnerable Plugins Six disclosures this week, with two issues unfixed. View this week's vulnerable plugins list.

Vulnerable Plugins Fifteen disclosures over the last two weeks, with eleven issues unfixed. View this week's vulnerable plugins list. I hope everyone in the State's had a great Thanksgiving last...

Vulnerable Plugins Twenty-two disclosures this week, with ten issues unfixed. View this week's vulnerable plugins list. The critical updates you should be aware of from this week's list are in...

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week's vulnerable plugins list. The most interesting disclosure this week, in my opinion, is that for the Animated...

Vulnerable Plugins Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet). View this week's vulnerable plugins list. The largest disclosure this...

Version 4.8.3 was just released moments ago. It address a SQL Injection issue discovered by Anthony Ferrara‏  https://twitter.com/ircmaxell/status/923662170092638208 Confirmation from Anthony  https://twitter.com/ircmaxell/status/925366959612538882 WordPress post concerning the update: https://make.wordpress.org/core/2017/10/31/changed-behaviour-of-esc_sql-in-wordpress-4-8-3/ and https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/...

Vulnerable Plugins Nine disclosures this week, with five issues unfixed. View this week's vulnerable plugins list. The largest disclosure this week was most likely the SQL Injection combined with Object...

Vulnerable Plugins Seventeen disclosures over the last two weeks, with six issues unfixed. View this week's vulnerable plugins list. Sorry I wasn't able to get last week's list out on...

Vulnerable Plugins Fourteen disclosures this week, with six issues unfixed, with three of those critical. View this week's vulnerable plugins list. The big news this last week, at least in...

Vulnerable Plugins Eleven disclosures this week, with two issues unfixed, both critical. Both have been removed from the public repository. View this week's vulnerable plugins list. As a point of...

Vulnerable Plugins Fourteen disclosures this week, with five issues unfixed, and one that is critical. View this week's vulnerable plugins list. The critical disclosure this week is an Arbitrary File...

Vulnerable Plugins Eight disclosures this week, with two issues unfixed, and two where I'm not sure. View this week's vulnerable plugins list. The two I'm unsure of this week are...

Vulnerable Plugins Seventeen disclosures this week, with eight issues unfixed. View this week's vulnerable plugins list. Other Security News The big disclosure this week was the breach at Equifax. If...

Vulnerable Plugins Ten disclosures this week, with three issues unfixed. View this week's vulnerable plugin list. The disclosure with the most visibility this week was in WooCommerce Product Vendors, where...

Vulnerable Plugins/Themes Seven disclosures this week, with zero issues unfixed. YAY! View week's vulnerable plugin list.   This week, let's look at the Authenticated, Unauthorized Information Disclosure vulnerability in version...

Vulnerable Plugins/Themes Eleven disclosures this week, with three issues unfixed. View week's vulnerable plugin list. Going to highlight a couple from this week. The first is the discovery by researcher Lenon...

Vulnerable Plugins/Themes Eleven disclosures this week, with two issues unfixed. View this week's vulnerable plugin list. We have one theme joining the list this week: GamePlan - Event and Gym...

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. One of the disclosures is actually from last week that I intended to include...

Vulnerable Plugins It was a busy week while I was away.  Twenty disclosures, with eleven issues unfixed.  In concerns to both Formcraft Form Builder, and Ultimate Affiliate Pro, since they...

Nope, today is not friday (sorry). I'm going to be out-of-town tomorrow so I'm doing this week's report a day early.  I'll also be out next week; as such, there...

Vulnerable Plugins Only four plugins with disclosed vulnerabilities this week, none of which remain unpatched! That's the fewest number of disclosures in a week since I started doing this report.  You'll notice...

Vulnerable Plugins Eight plugins with disclosed vulnerabilities this week, five of which remain unpatched. The most serious is FormCraft which contains two unfixed SQL Injection vulnerabilities.  The packetstorm post mentions...

Vulnerable Plugins This week's list is probably one of the shortest since I started doing these reports: only 6 plugins, with 3 having unfixed vulnerabilities.  Unfortunately, one of them is...

Introduction The weekly list is a collection of plugins and/or themes that have had vulnerabilities disclosed within the last week. I've historically created these weekly vulnerable plugin reports for the WordPress...