In this article, we want to share Vulnerable WordPress Plugins Blacklisted by Sucuri in 2017. Sucuri Inc. is the leading provider of web-based integrity monitoring, malware detection, and malware removal solutions delivered as a service. Sucuri’s web monitoring solution is used today by more than 50,000 sites worldwide. The pitfall is that even such giants as WooCommerce and BuddyPress sometimes receive vulnerable updates.

This is a regularly updated list of vulnerabilities found in WordPress themes, plugins and core files, which will help you detect potentially dangerous components on your website. WPScan Vulnerability Database is powered by Sucuri an online platform offering security solutions for WordPressJoomlaDrupalMagento, and many other CMSs. We have scanned their database, picked the most recent vulnerabilities, and made them up into a convenient table, which you can see below.

Types of hazards

In this table, you will see the latest vulnerable WordPress plugins spotted by Sucuri starting from the beginning of 2017. If phrases like “Stored XSS” doesn’t ring any bells, here are some definitions to get you covered:

  1. XSS (Cross-site Scripting) – enables attackers to inject client-side scripts into web pages viewed by other users. There are two types of XSS: stored and reflected. Stored XSS (also known as persistent XSS) occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS occurs when a malicious script is reflected off of a website to a victim’s browser.
  2. SQL Injections – allow hackers to exercise control over your database, including its unauthorized dumping and modification.
  3. LFI (Local File Inclusion) – results in remote code execution on the webserver that runs the affected web application.
  4. Cross-Site Request Forgery (CSRF) – a malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.
27 Vulnerable WordPress Plugins as of 03/16/2017

Many of them haven’t been updated for several years, so better delete them completely from your websites, as simple deactivation of a plugin doesn’t always solve the problem.

SnippetName of the pluginVersionIssueSpotted on
alpine-photo-tile-for-InstagramAlpine PhotoTile1.2.7.6Authenticated Reflected XSS2017-03-03
AnavarAnyVar0.1.1Stored Cross-Site Scripting (XSS)2017-03-06
404-redirection-manager404 to 301 SEO Redirection1.0SQL Injection2017-01-14
contact-form-managerContact Form Manager1.4.2CSRF & Cross-Site Scripting (XSS)2017-03-02
directdownloadDirect Download for WooCommerce1.15Unauthenticated LFI2017-01-18
download-managerDownload Manager2.9.45Cross-Site Request Forgery (CSRF)2017-03-03
dtrackerDtracker1.5Multiple Unauthenticated Blind SQL Injections2017-03-09
easy-tableEasy Table Authenticated Stored XSS2017-02-20
global-content-blocksGlobal Content Blocks Cross-Site Request Forgery (CSRF)2017-03-03
google-analytics-dashboardGoogle Analytics Dashboard Authenticated XSS2017-03-02
google-mp3-audio-playerCodeArt Google MP3 Player File Disclosure2017-02-09
google-sitemap-generatorGoogle XML Sitemaps4.0.8Authenticated Reflected XSS (via HOST header)2017-03-03
kama-click-counterKama Click Counter Authenticated Blind SQL Injection2017-02-28
mail-mastaMail Masta1.0Multiple SQL Injection2017-02-23
mobile-app-builder-by-wappressWordPress Mobile app Builder1.05Unauthenticated File Upload2017-03-08
mobile-friendly-app-builder-by-easytouchHow to Create an App for Android iPhone Easytouch3.0Unauthenticated File Upload2017-03-08
popup-by-supsysticPopup by Supsystic Cross-Site Request Forgery (CSRF)2017-03-02
responsive-pollResponsive Poll1.7.4Cross-Site Scripting (XSS)2017-01-11
rockhoist-badgesRockhurst Badges1.2.2Authenticated Stored XSS2017-03-06
simple-ads-managerSimple Ads Manager Unauthenticated PHP Object Injection2017-03-03
stats-counterAnalytics Stats Counter Statistics Unauthenticated PHP Object Injection2017-03-03
trust-formTrust Form Authenticated Reflected XSS2017-03-03
user-login-logUser Login Log Stored Cross-Site Scripting (XSS)2017-03-02
webapp-builderWebapp builder 2.02.0Unauthenticated File Upload2017-03-08
wp-spamfreeWP-SpamFree Anti-Spam Authenticated Reflected XSS2017-03-02
wp2android-turn-wp-site-into-android-appWp2android1.1.4Unauthenticated File Upload2017-03-08
zen-mobile-app-nativeMobile App Native3.0Remote File Upload2017-03-01
16 Vulnerable WordPress Plugins that need to be updated ASAP

These 16 plugins are used by 4+ million WordPress websites. The list includes WooCommerce, BuddyPress, VaultPress and other world-renowned extensions. Luckily, developers of popular plugins fix critical issues quickly, so make sure that all of your plugins are always up-to-date. Enable auto-updates and regularly check if the plugins installed on your WordPress website are of the latest version.

SnippetName of the pluginVersionIssueUpdate to
BuddyPressBuddyPress2.7.3Arbitrary File Deletion2.7.4
contact-form-pluginContact Form by BestWebSoft4.0.1Stored Cross-Site Scripting (XSS)4.0.2
chained-quizChained Quiz0.9.8Cross-Site Scripting (XSS)0.9.9
cms-commander-clientCMS Commander Client2.21Unauthenticated PHP Object Injection2.22
form builderFormBuilder1.0.7Multiple Authenticated SQL Injection

Cross-Site Request Forgery (CSRF)

image-slider-widgetSlider1.1.89Authenticated Arbitrary File Deletion1.1.90
iwp-clientInfiniteWP Client1.6.0Unauthenticated PHP Object Injection1.6.1.1
magic-fieldsMagic Fields1.7.1Authenticated XSS1.7.2
newstatpressNewStatPress1.2.4Stored Cross-Site Scripting (XSS)1.2.5
nextgen-galleryNextGEN Gallery2.1.77Unauthenticated SQL Injection2.1.79
stop-user-enumerationStop User Enumeration1.3.7Unauthenticated Reflected XSS1.3.8
vault pressVaultPress1.8.6Backend Server SSL Verification Disabled1.8.7
xcloner-backup-and-restoreXCloner – Backup and Restore3.1.4Authenticated Path Traversal3.1.5
WangGuardWangGuard1.7.2Authenticated Reflected XSS1.7.3
WoocommerceWooCommerce2.6.8Authenticated Tax-Rate CSV XSS2.6.9
wp formGoogle Forms0.87Unauthenticated PHP Object Injection0.91

Leave a Comment

1 Comment