In this article, we want to share Vulnerable WordPress Plugins Blacklisted by Sucuri in 2017. Sucuri Inc. is the leading provider of web-based integrity monitoring, malware detection, and malware removal solutions delivered as a service. Sucuri’s web monitoring solution is used today by more than 50,000 sites worldwide. The pitfall is that even such giants as WooCommerce and BuddyPress sometimes receive vulnerable updates.

This is a regularly updated list of vulnerabilities found in WordPress themes, plugins and core files, which will help you detect potentially dangerous components on your website. WPScan Vulnerability Database is powered by Sucuri an online platform offering security solutions for WordPressJoomlaDrupalMagento, and many other CMSs. We have scanned their database, picked the most recent vulnerabilities, and made them up into a convenient table, which you can see below.

Types of hazards

In this table, you will see the latest vulnerable WordPress plugins spotted by Sucuri starting from the beginning of 2017. If phrases like “Stored XSS” doesn’t ring any bells, here are some definitions to get you covered:

  1. XSS (Cross-site Scripting) – enables attackers to inject client-side scripts into web pages viewed by other users. There are two types of XSS: stored and reflected. Stored XSS (also known as persistent XSS) occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS occurs when a malicious script is reflected off of a website to a victim’s browser.
  2. SQL Injections – allow hackers to exercise control over your database, including its unauthorized dumping and modification.
  3. LFI (Local File Inclusion) – results in remote code execution on the webserver that runs the affected web application.
  4. Cross-Site Request Forgery (CSRF) – a malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.
27 Vulnerable WordPress Plugins as of 03/16/2017

Many of them haven’t been updated for several years, so better delete them completely from your websites, as simple deactivation of a plugin doesn’t always solve the problem.

Snippet Name of the plugin Version Issue Spotted on
alpine-photo-tile-for-Instagram Alpine PhotoTile Authenticated Reflected XSS 2017-03-03
Anavar AnyVar 0.1.1 Stored Cross-Site Scripting (XSS) 2017-03-06
404-redirection-manager 404 to 301 SEO Redirection 1.0 SQL Injection 2017-01-14
contact-form-manager Contact Form Manager 1.4.2 CSRF & Cross-Site Scripting (XSS) 2017-03-02
directdownload Direct Download for WooCommerce 1.15 Unauthenticated LFI 2017-01-18
download-manager Download Manager 2.9.45 Cross-Site Request Forgery (CSRF) 2017-03-03
dtracker Dtracker 1.5 Multiple Unauthenticated Blind SQL Injections 2017-03-09
easy-table Easy Table   Authenticated Stored XSS 2017-02-20
global-content-blocks Global Content Blocks   Cross-Site Request Forgery (CSRF) 2017-03-03
google-analytics-dashboard Google Analytics Dashboard   Authenticated XSS 2017-03-02
google-mp3-audio-player CodeArt Google MP3 Player   File Disclosure 2017-02-09
google-sitemap-generator Google XML Sitemaps 4.0.8 Authenticated Reflected XSS (via HOST header) 2017-03-03
kama-click-counter Kama Click Counter   Authenticated Blind SQL Injection 2017-02-28
mail-masta Mail Masta 1.0 Multiple SQL Injection 2017-02-23
mobile-app-builder-by-wappress WordPress Mobile app Builder 1.05 Unauthenticated File Upload 2017-03-08
mobile-friendly-app-builder-by-easytouch How to Create an App for Android iPhone Easytouch 3.0 Unauthenticated File Upload 2017-03-08
popup-by-supsystic Popup by Supsystic   Cross-Site Request Forgery (CSRF) 2017-03-02
responsive-poll Responsive Poll 1.7.4 Cross-Site Scripting (XSS) 2017-01-11
rockhoist-badges Rockhurst Badges 1.2.2 Authenticated Stored XSS 2017-03-06
simple-ads-manager Simple Ads Manager   Unauthenticated PHP Object Injection 2017-03-03
stats-counter Analytics Stats Counter Statistics   Unauthenticated PHP Object Injection 2017-03-03
trust-form Trust Form   Authenticated Reflected XSS 2017-03-03
user-login-log User Login Log   Stored Cross-Site Scripting (XSS) 2017-03-02
webapp-builder Webapp builder 2.0 2.0 Unauthenticated File Upload 2017-03-08
wp-spamfree WP-SpamFree Anti-Spam   Authenticated Reflected XSS 2017-03-02
wp2android-turn-wp-site-into-android-app Wp2android 1.1.4 Unauthenticated File Upload 2017-03-08
zen-mobile-app-native Mobile App Native 3.0 Remote File Upload 2017-03-01
16 Vulnerable WordPress Plugins that need to be updated ASAP

These 16 plugins are used by 4+ million WordPress websites. The list includes WooCommerce, BuddyPress, VaultPress and other world-renowned extensions. Luckily, developers of popular plugins fix critical issues quickly, so make sure that all of your plugins are always up-to-date. Enable auto-updates and regularly check if the plugins installed on your WordPress website are of the latest version.

Snippet Name of the plugin Version Issue Update to
BuddyPress BuddyPress 2.7.3 Arbitrary File Deletion 2.7.4
contact-form-plugin Contact Form by BestWebSoft 4.0.1 Stored Cross-Site Scripting (XSS) 4.0.2
chained-quiz Chained Quiz 0.9.8 Cross-Site Scripting (XSS) 0.9.9
cms-commander-client CMS Commander Client 2.21 Unauthenticated PHP Object Injection 2.22
form builder FormBuilder 1.0.7 Multiple Authenticated SQL Injection

Cross-Site Request Forgery (CSRF)

image-slider-widget Slider 1.1.89 Authenticated Arbitrary File Deletion 1.1.90
iwp-client InfiniteWP Client 1.6.0 Unauthenticated PHP Object Injection
magic-fields Magic Fields 1.7.1 Authenticated XSS 1.7.2
newstatpress NewStatPress 1.2.4 Stored Cross-Site Scripting (XSS) 1.2.5
nextgen-gallery NextGEN Gallery 2.1.77 Unauthenticated SQL Injection 2.1.79
stop-user-enumeration Stop User Enumeration 1.3.7 Unauthenticated Reflected XSS 1.3.8
vault press VaultPress 1.8.6 Backend Server SSL Verification Disabled 1.8.7
xcloner-backup-and-restore XCloner – Backup and Restore 3.1.4 Authenticated Path Traversal 3.1.5
WangGuard WangGuard 1.7.2 Authenticated Reflected XSS 1.7.3
Woocommerce WooCommerce 2.6.8 Authenticated Tax-Rate CSV XSS 2.6.9
wp form Google Forms 0.87 Unauthenticated PHP Object Injection 0.91

Leave a Comment

1 Comment