Overview of WordPress Vulnerabilities in December 2016

In this December 2016 monthly roundup of WordPress core, plugins and themes reported vulnerabilities, very few WordPress plugins vulnerabilities were reported.

Overview of WordPress Plugins Vulnerabilities in December 2016

27 WordPress plugins vulnerabilities were discovered in December. Also in the month of December, the trend of plugins being removed from the WordPress repository still continues. It was noticed that that the number of plugins being taken offline from the WordPress repository is increasing. Plugins are taken offline when developers do not fix vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.

Below is the complete list of all the WordPress plugins a vulnerabilities reported in December 2016:

WordPress Plugins Vulnerabilities

  • CSRF security issue in Copy-Me plugin
  • SSRF vulnerability in Nelio AB Testing plugin
  • SQL Injection in Xtreme Locator Dealer Locator plugin
  • Blind Injection in ZM Gallery plugin
  • SQL Injection in WP Private Messages plugin
  • CSRF / Database Update vulnerability in ZX_CSV Upload plugin
  • SQL Injection in Single Personal Message plugin
  • SQL Injection in WP Support Plus Responsive Ticket System plugin
  • Authenticated Information Disclosure in Backup & Restore Dropbox plugin
  • Stored XSS and CSRF in Quiz and Survey Master plugin
  • Multiple SQL Injection and XSS vulnerabilities in Podlove Podcast Publisher
  • Reflected XSS vulnerability in MailChimp for WordPress plugin
  • Arbitraty File Upload vulnerability in Delete All Comments plugin
  • Reflected Cross-site Scripting in Social Pug – Easy Social Share Buttons plugin
  • CSRF vulnerability in Multisite Post Duplicator plugin
  • PHP Object Injection in BP Profile Search
  • CSRF & XSS vulnerabilities in Twitter Cards Meta plugin
  • Information Disclosure vulnerability in WooCommerce Email Test plugin
  • Arbitrary file deletion vulnerability in Image Slider plugin
  • Unauthenticated change of password critical security issue in Ultimate Member plugin
  • SQL Injection in WA Form Builder
  • SQL Injection vulnerability in Product Catalog plugin
  • Unauthenticated SQL Injection in BBS e-Franchise plugin
  • Local File Inclusion in WP Vault plugin

This vulnerabilities and security issues roundup is made possible through WP Security Bloggers.


November WordPress Vulnerabilities RoundUp

This is a monthly roundup of WordPress Vulnerabilities for the month of November. This monthly roundup takes care of all the vulnerabilities in WordPress plugins and themes reported during the month of November 2016. This roundup is made possible through Wp Security Bloggers, an aggregate of popular WordPress security blogs and websites that publish WordPress security news and updates. During November no WordPress vulnerabilities was reported in the WordPress core.

Overview of WordPress Vulnerabilities in November 2016

39 WordPress vulnerabilities in plugin were reported in November. That is the highest number of vulnerabilities ever recorded since July this year, when WP White Securities started recording these statistics.

There has also been an increasing trend in the number of plugins being taken offline from the WordPress repository. Plugins are taken offline when developers do not fix vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.

Below is the complete list of all the WordPress Vulnerabilities found in plugins and themes reported in November 2016:

WordPress Vulnerabilities in Plugins

WordPress Vulnerabilities in Themes


, ,

Top 5 Useful Tools to Scan Websites for Virus and Malware Infection

Aside from periodically scanning our PCs for viruses, there is also a need to scan websites for virus or malware infection. A virus or malware infection of any website can have overwhelming consequences on the overall performance of the website, the hosting server and the site owner.

There are several websites offering useful tools online for webmasters to scan websites. These scans provide useful information and helpful security tips.

Some of these providers have also WordPress plugins to scan WordPress powered websites. These plugins will scan websites for malware, trojans, backdoors, worms, viruses, shells, spywares and other threats as well as JavaScript code obfuscation, exploits, malicious iframes, malicious code injection, malicious code obfuscation, auto-generated malicious content, redirects, hidden eval code and more.

Here are some of the top tools to scan websites

Sucuri Online Scan

Sucuri is a famous provider of website security solutions with specialization in WordPress. Their scanning tool works as a magnet to attract new customers. Obviously, it lets you know if your website is suffering from injected spam, defacements or malware. Sucuri has a WordPress plugin that can be easily installed and configured for use. It is a security suite meant to complement your existing security posture with seven key security features:

  1. Security Activity Audit Logging
  2. File Integrity Monitoring
  3. Remote Malware Scanning
  4. Blacklist Monitoring
  5. Effective Security Hardening
  6. Post-Hack Security Actions
  7. Security Notifications

Virus Total

VirusTotal is a simple tool to scan websites and it does a great job at that. It allows scanning a file or a URL and provides information about the viruses found. Using Virus Total is absolutely free. This great tool facilitate the quick detection of viruses, worms, Trojans and all kinds of malware on you website detected by website scanners and antivirus engines. VirusTotal is a subsidiary of Google. In spite of its simple design, behind this tool is an active community waiting for you to join them.


SpamHaus is a great security help for any type of website. It has two distinct tools: IP Address Lookup and Domain Lookup. The first tool is useful to determine if an IP address is associated with spam or illegal activities. It is called the SpamHaus Block List (SBL). The SBL is used both as a sender IP blocklist and as a URI blocklist. It is very effective as a URI blocklist. As example, if you noticed that an IP address attempted multiple times to login to your website you should check it and find additional information about.

The second tool, the Domain Lookup informs if your website is on their list of spam sources. I wish you to never be added on this list, but in case that you are, SpamHaus offers you information about how to resolve your security issues and finally, be erased from the list.


Quttera is another impressive free tool that should be used periodically to scan websites. It is a cloud based application that scans websites and generates scan reports. It checks URIs for suspicious scripts, malicious files and other threat hidden into legitimate contents on websites. It analyses a lot of files, therefore it takes some minutes before listing the result. Due to the multiple scan website being analysed simultaneously, it is possible to get a message requiring you to try the service later. It’s not Ok, but the services are free and top-quality, so a little bit of patience is golden!

The Quttera Web Malware Scanner plugin provided in the WordPress plugin repository scans your WordPress website for known and unknown malware and other suspicious activities.


Unlike the previous tools, this requires a subscription, but it’s similar in terms of efficiency and usefulness. Acunetix is a security leader and their online scan offers lots of precious information. It detects and reports a wide array of vulnerabilities in applications built on architectures such as WordPress, PHP, ASP.NET, Java Frameworks, Ruby on Rails and many others. Acunetix Vulnerability Scanner can be used to scan for vulnerable WordPress plugins and can also be used to conduct other WordPress specific configuration tests such as week WordPress admin passwords, username enumeration and WordPress configuration file disclosure. The Acunetix WordPress plugin identifies malicious plugins, themes and URL within website pages.

Do you use any other tools not mentioned here, please let me know so I also check them out.

List of Important WordPress Plugins you must install on your website

Do you have an existing WordPress site or you are just developing your website, compiled here are list of the most Important WordPress Plugins you must have installed on your website.

WordPress is designed to be lean and lightweight with a lot of features and flexibilities, but there is still a lot of functionality missing from it. Plugins are designed to fill in these missing functions. Plugins offers custom functions and features so that users can tailor their sites to their specific needs.


Plugins are used to extend and add to the functionality that already exist in WordPress


The best way to fill in the missing pieces is to get yourself the right plugins. It is often confusing trying to pick out the plugins to install among the many that are available. I will admit that it can be difficult sometimes to sort out the good from the, well, not so good. But I have tried to simplify the process of choosing the most important WordPress plugins you should use. I have also provided links to these important WordPress plugins where necessary.

WordPress Plugins are available from several sources. The most popular and official source for WordPress Plugins is the WordPress Plugin Directory.

So here is a collection of free and premium important wordpress plugins you must have installed on your website. There are various options included for everything from caching, seo, to security and backup.

The Most Important WordPress Plugins are for:



This is one of the first set of important wordpress plugins I will recommend you install after installing WordPress for your website. Every webmaster or web owner should install one or two of these plugins to secure their website. Some of these plugins are Wordfence Security, WPS Hide Login, Sucuri Security, iThemes Security (formerly Better WP). Installing any of these plugins with further protect your WordPress website from malware, brute force attack, login security etc. I have these plugins installed on my various websites.


As the name implies, these plugins adds SEO functionalities to a website. Aside from security, this is another important WordPress plugin that should not be missing from your site.. The plugin I will recommend are Yoast SEO and All in One SEO Pack. These plugins helps to write better contents, choose focus keywords in each articles and makes sure the focus keywords are used constantly throughout the article.


Spam comments are unsolicited comments posted on websites by a broad category of spambot or spammer. Most spam comments are advertisements. AntiSpam plugins usually check each comments to see if they look like spam or not and let you review the spam comments it blocked. Without antispam plugins, you stand no chance against SPAM. The most popular antispam plugin for WordPress is Akismet. Akismet does a good job at catching SPAM comments.


Tracking the number of visitors on your website need not be a hard task. These plugins allows you to easily track you site. It is important to install any of these plugins so that you can be able to measure the growth of your website. An example is Google Analytics Dashboard for WP. This plugin enables you to track your site using the latest Google Analytics tracking code and allows to view Key Google Analytics Report on your WordPress Dashboard.


WordPress caching is the fastest way to improve website performance, reduce download time etc.. WordPress cache plugins cache WordPress posts and pages as static files which are then served to users. This can improve the overall performance several hundred times. Some popular Caching plugins are WP Total Cache and WP Super Cache.


Very useful if you want your visitors to share your contents like blog posts and pages via the social media and email. Social sharing is a very powerful tool to increase your site traffic and boost your website social engagement. Check out some of the available social sharing plugins here.


This is an important WordPress plugins that work by displaying after a related posts after the original post post, i.e. similar posts that are in the same category with the original post. Displaying links to related content to help your readers enjoy reading posts on your site. This helps to increase the time visitors spend on your site and also increase your chance of engagement with them. This function is already incorporated in some premium themes but if yours doesn’t have it, then related post plugins are a way to go and you can download from the numerous plugins here.


These plugins place a form on your site which allows visitors to subscribe for future posts or newsletters from your blog. This is a great way to build an email marketing list. They are a very essential tool to engage website visitors for any website. You need to have one installed so that you can start capturing emails of your site visitor early. You can then grow your subscriber list, engage with visitors convert visitors and decrease bounce rate. Check out some here.


Do you have a favorite plugin from this list? Is there any WordPress plugin that you think is absolutely essential for every WordPress site? Indicate in the comments below.

The Global WordPress Translation Day is Happening November 12th

Global WordPress Translation Day 2 is One full day dedicated to bringing WordPress to more people around the world. 24 hours of live training sessions on WordPress. It is is a day set aside to translate WordPress into one of more than 160 languages, learn more about translating WordPress, and meet people from all over the world. Translating is one of the easiest ways to get involved with WordPress and contribute to the project.

This will be the Day 2 of the Global WordPress Translation Day organized by the WordPress Polyglots team. So everyone is invited to participate from anywhere in the world. Join the Polyglot team on November 12th.

Join on November 12th from Anywhere in the World

The translation day starts on Saturday, November 12th, 2016, at 0:00 UTC and ends 24 hours later. Here in Nigeria, it starts by 01:00 am See what time that is for you! You can join right from the start, or any time it’s convenient for you throughout the day.

What are we doing?

It is a great way to get involved in WordPress, as Local contributor days are happening all over the world. I don’t know if there is any of such day in Nigeria and its time the WordPress community in Nigeria organize such local event.

Check out this map to see if there’s already a local event happening near you. Can’t find one? Organize a local event!

At the same time, you can still register to join the community for 24 hours of live-streamed, remote sessions in numerous languages. Sessions will cover localization, internationalization, and contributing in any local language.

Who’s it for?

The translation day is for anyone who wants to learn how to translate and experienced translation editor building a strong team. Developers will also enjoy topics from experienced contributors, whether you are learning about internationalization and or want to find more translators for your themes and plugins. There is a session for everyone!

Get Involved

Joining is easy! On November 12th, in your own timezone, translate WordPress or your favorite plugins and themes into your language, while watching live sessions over the course of the day.

Want to get more involved? Sign up to organize a local event and invite your local community to translate together on November 12th. Events can be formal or completely informal – grab your laptop and a couple of friends, and head to a good meeting point to translate for an hour or two.

Can you get involved if you only speak English?

Absolutely! Even if you only speak English, there are great sessions about internationalization that can benefit every developer. There are also lots of English variants that you can help with! For example, English is spoken and written differently in Australia, Canada, New Zealand, South Africa, England, Nigeria and the United Kingdom. You can learn about these differences and why these variants are important during the sessions.

And if you’re feeling fun, try translating WordPress into emoji! Yep, there is a translation of WordPress in emoji!


If you have any questions, the polyglots’ team and the event organizers hang out in #polyglots in Slack and are happy to help! (Get an invite to Slack at

Sign up to take part in the event on the official website.

Will I be involved? No I can’t. I have a training to attend that same day; I and my team will be training newbies how to design websites with WordPress. It gonna be cool if you attend this training.