In this article, we want to share Vulnerable WordPress Plugins Blacklisted by Sucuri in 2017. Sucuri Inc. is the leading provider of web-based integrity monitoring, malware detection, and malware removal solutions delivered as a service. Sucuri’s web monitoring solution is used today by more than 50,000 sites worldwide. The pitfall is that even such giants as WooCommerce and BuddyPress sometimes receive vulnerable updates.
This is a regularly updated list of vulnerabilities found in WordPress themes, plugins and core files, which will help you detect potentially dangerous components on your website. WPScan Vulnerability Database is powered by Sucuri an online platform offering security solutions for WordPress, Joomla, Drupal, Magento, and many other CMSs. We have scanned their database, picked the most recent vulnerabilities, and made them up into a convenient table, which you can see below.
Types of hazards
In this table, you will see the latest vulnerable WordPress plugins spotted by Sucuri starting from the beginning of 2017. If phrases like “Stored XSS” doesn’t ring any bells, here are some definitions to get you covered:
- XSS (Cross-site Scripting) – enables attackers to inject client-side scripts into web pages viewed by other users. There are two types of XSS: stored and reflected. Stored XSS (also known as persistent XSS) occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS occurs when a malicious script is reflected off of a website to a victim’s browser.
- SQL Injections – allow hackers to exercise control over your database, including its unauthorized dumping and modification.
- LFI (Local File Inclusion) – results in remote code execution on the webserver that runs the affected web application.
- Cross-Site Request Forgery (CSRF) – a malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.
27 Vulnerable WordPress Plugins as of 03/16/2017
Many of them haven’t been updated for several years, so better delete them completely from your websites, as simple deactivation of a plugin doesn’t always solve the problem.
| Snippet | Name of the plugin | Version | Issue | Spotted on |
| alpine-photo-tile-for-Instagram | Alpine PhotoTile | 1.2.7.6 | Authenticated Reflected XSS | 2017-03-03 |
| Anavar | AnyVar | 0.1.1 | Stored Cross-Site Scripting (XSS) | 2017-03-06 |
| 404-redirection-manager | 404 to 301 SEO Redirection | 1.0 | SQL Injection | 2017-01-14 |
| contact-form-manager | Contact Form Manager | 1.4.2 | CSRF & Cross-Site Scripting (XSS) | 2017-03-02 |
| directdownload | Direct Download for WooCommerce | 1.15 | Unauthenticated LFI | 2017-01-18 |
| download-manager | Download Manager | 2.9.45 | Cross-Site Request Forgery (CSRF) | 2017-03-03 |
| dtracker | Dtracker | 1.5 | Multiple Unauthenticated Blind SQL Injections | 2017-03-09 |
| easy-table | Easy Table | Authenticated Stored XSS | 2017-02-20 | |
| global-content-blocks | Global Content Blocks | Cross-Site Request Forgery (CSRF) | 2017-03-03 | |
| google-analytics-dashboard | Google Analytics Dashboard | Authenticated XSS | 2017-03-02 | |
| google-mp3-audio-player | CodeArt Google MP3 Player | File Disclosure | 2017-02-09 | |
| google-sitemap-generator | Google XML Sitemaps | 4.0.8 | Authenticated Reflected XSS (via HOST header) | 2017-03-03 |
| kama-click-counter | Kama Click Counter | Authenticated Blind SQL Injection | 2017-02-28 | |
| mail-masta | Mail Masta | 1.0 | Multiple SQL Injection | 2017-02-23 |
| mobile-app-builder-by-wappress | WordPress Mobile app Builder | 1.05 | Unauthenticated File Upload | 2017-03-08 |
| mobile-friendly-app-builder-by-easytouch | How to Create an App for Android iPhone Easytouch | 3.0 | Unauthenticated File Upload | 2017-03-08 |
| popup-by-supsystic | Popup by Supsystic | Cross-Site Request Forgery (CSRF) | 2017-03-02 | |
| responsive-poll | Responsive Poll | 1.7.4 | Cross-Site Scripting (XSS) | 2017-01-11 |
| rockhoist-badges | Rockhurst Badges | 1.2.2 | Authenticated Stored XSS | 2017-03-06 |
| simple-ads-manager | Simple Ads Manager | Unauthenticated PHP Object Injection | 2017-03-03 | |
| stats-counter | Analytics Stats Counter Statistics | Unauthenticated PHP Object Injection | 2017-03-03 | |
| trust-form | Trust Form | Authenticated Reflected XSS | 2017-03-03 | |
| user-login-log | User Login Log | Stored Cross-Site Scripting (XSS) | 2017-03-02 | |
| webapp-builder | Webapp builder 2.0 | 2.0 | Unauthenticated File Upload | 2017-03-08 |
| wp-spamfree | WP-SpamFree Anti-Spam | Authenticated Reflected XSS | 2017-03-02 | |
| wp2android-turn-wp-site-into-android-app | Wp2android | 1.1.4 | Unauthenticated File Upload | 2017-03-08 |
| zen-mobile-app-native | Mobile App Native | 3.0 | Remote File Upload | 2017-03-01 |
16 Vulnerable WordPress Plugins that need to be updated ASAP
These 16 plugins are used by 4+ million WordPress websites. The list includes WooCommerce, BuddyPress, VaultPress and other world-renowned extensions. Luckily, developers of popular plugins fix critical issues quickly, so make sure that all of your plugins are always up-to-date. Enable auto-updates and regularly check if the plugins installed on your WordPress website are of the latest version.
| Snippet | Name of the plugin | Version | Issue | Update to |
| BuddyPress | BuddyPress | 2.7.3 | Arbitrary File Deletion | 2.7.4 |
| contact-form-plugin | Contact Form by BestWebSoft | 4.0.1 | Stored Cross-Site Scripting (XSS) | 4.0.2 |
| chained-quiz | Chained Quiz | 0.9.8 | Cross-Site Scripting (XSS) | 0.9.9 |
| cms-commander-client | CMS Commander Client | 2.21 | Unauthenticated PHP Object Injection | 2.22 |
| form builder | FormBuilder | 1.0.7 | Multiple Authenticated SQL Injection
Cross-Site Request Forgery (CSRF) |
1.0.8 |
| image-slider-widget | Slider | 1.1.89 | Authenticated Arbitrary File Deletion | 1.1.90 |
| iwp-client | InfiniteWP Client | 1.6.0 | Unauthenticated PHP Object Injection | 1.6.1.1 |
| magic-fields | Magic Fields | 1.7.1 | Authenticated XSS | 1.7.2 |
| newstatpress | NewStatPress | 1.2.4 | Stored Cross-Site Scripting (XSS) | 1.2.5 |
| nextgen-gallery | NextGEN Gallery | 2.1.77 | Unauthenticated SQL Injection | 2.1.79 |
| stop-user-enumeration | Stop User Enumeration | 1.3.7 | Unauthenticated Reflected XSS | 1.3.8 |
| vault press | VaultPress | 1.8.6 | Backend Server SSL Verification Disabled | 1.8.7 |
| xcloner-backup-and-restore | XCloner – Backup and Restore | 3.1.4 | Authenticated Path Traversal | 3.1.5 |
| WangGuard | WangGuard | 1.7.2 | Authenticated Reflected XSS | 1.7.3 |
| Woocommerce | WooCommerce | 2.6.8 | Authenticated Tax-Rate CSV XSS | 2.6.9 |
| wp form | Google Forms | 0.87 | Unauthenticated PHP Object Injection | 0.91 |
Hello. excellent job. I did not anticipate this. This is an excellent story.
Thanks!