WordPress Vulnerabilities: Core, Plugins & Themes Vulnerabilities Roundup for January 2017


In January 33 WordPress plugin vulnerabilities were reported, and 12 in WordPress core. Since we have been keeping a record of reported vulnerabilities, this has been the busiest month for WordPress core vulnerability. All these vulnerabilities are all a good sign, that WordPress is simply becoming a more secure software, as explained in Crunching the numbers, how secure WordPress is?

Below is the complete list of all the WordPress plugins and themes vulnerabilities reported in December 2016:

WordPress Vulnerabilities in Plugins

  • CSRF ad XSS vulnerabilities in ABASE plugin
  • Arbitrary file upload vulnerability in Seo Spy plugin
  • Arbitrary file upload vulnerability in PHP Analytics plugin
  • Arbitrary file upload vulnerability in Social plugin
  • Remote Code Execution (RCE) in Google Maps by Daniel Martyn plugin
  • Arbitrary file upload vulnerability in ChikunCounter plugin
  • Arbitrary File Upload Vulnerability in Developer Tools plugin
  • Unauthenticated PHP Object injection in CMS Commander Client plugin
  • Unauthenticated PHP Object injection in Google Forms plugin
  • Arbitrary File Upload vulnerability in DOP Slider plugin
  • CSRF and XSS vulnerabilities in Hupso Share Buttons for Twitter, Facebook & Google+ plugin
  • Open redirect vulnerability in moreAds SE
  • Reflected Cross-Site Scripting (XSS) Vulnerability in moreAds SE plugin
  • Information Disclosure Vulnerability in W3 Total Cache plugin
  • CSRF and XSS in Arigato Autoresponder and Newsletter plugin
  • Reflected Cross-Site Scripting (XSS) vulnerability in Event Notifier plugin
  • Remote Local File Inclusion in Direct Download for WooCommerce
  • Reflected Cross-Site Scripting (XSS) Vulnerability in WangGuard plugin
  • SQL Injection in 404 Redirection Manager
  • Reflected Cross-Site Scripting (XSS) Vulnerability in Super Socializer
  • Cross-Site Scripting (XSS) & CSRF in Responsive Poll plugin
  • Privilege Escalation in WP Support Plus Responsive Ticket System plugin
  • PHP Object Injection Vulnerability in Post Grid plugin
  • Username enumeration bypasses in Stop User Enumeration plugin
  • Cross-Site Scripting (XSS) in Chained Quiz plugin
  • Cross-site Scripting vulnerability in WooCommerce plugin
  • Authenticated Arbitrary File Deletion in Slider plugin
  • Authenticated Path Traversal in XCloner – Backup and Restore plugin
  • Authenticated Arbitrary File Deletion Vulnerability in BuddyPress
  • Information disclosure in Pike Firewall WordPress plugin

WordPress Vulnerabilities in Core

  • Unauthenticated privilege escalation in a REST API endpoint
  • Cross-Site Scripting (XSS) in posts list table
  • SQL Injection in WP_Query
  • Press This available to unauthorised users
  • Cross site request forgert (CSRF) in WordPress prior to 4.7.1
  • Information Disclosure in WordPress prior to 4.7.1
  • Cross-site request forgery (CSRF) in the accessibility mode of widget editing
  • Cross-site scripting (XSS) vulnerability via theme name fallback
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  • Cross-site scripting in update-core.php
  • User information disclosure in WordPress Rest API
  • Remote code execution vulnerability in PHPMailer (shipped with WordPress)

You can read the release notes of WordPress 4.7.1 for more information on the above mentioned WordPress vulnerabilities in Core that are not linked.


Source: WPWhiteSecurity


November WordPress Vulnerabilities RoundUp

This is a monthly roundup of WordPress Vulnerabilities for the month of November. This monthly roundup takes care of all the vulnerabilities in WordPress plugins and themes reported during the month of November 2016. This roundup is made possible through Wp Security Bloggers, an aggregate of popular WordPress security blogs and websites that publish WordPress security news and updates. During November no WordPress vulnerabilities was reported in the WordPress core.

Overview of WordPress Vulnerabilities in November 2016

39 WordPress vulnerabilities in plugin were reported in November. That is the highest number of vulnerabilities ever recorded since July this year, when WP White Securities started recording these statistics.

There has also been an increasing trend in the number of plugins being taken offline from the WordPress repository. Plugins are taken offline when developers do not fix vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.

Below is the complete list of all the WordPress Vulnerabilities found in plugins and themes reported in November 2016:

WordPress Vulnerabilities in Plugins

WordPress Vulnerabilities in Themes


, ,

WordPress Security: How is WordPress Website Hacked?

Having your WordPress website hacked is one of the biggest nightmares for any website owner. From one moment to the next, your site is shut down. Traffic plummets and all the energy, effort, time, and money you put into your site is on the brink of being lost entirely.

As much as the developers behind WordPress and the entire WordPress community are working round the clock to make better and more secure versions of WordPress, the hackers are also trying by all means to find new vulnerabilities they can explore. Vulnerability is a weakness that allows attackers to compromise a product, in this case a website.

Getting backed your WordPress Website hacked is hard work, however, not as hard as winning back your audience’s trust or getting your site off spam blacklists.

While getting a WordPress Website hacked is never pleasant, it is much more common than you would think. The security of a website is not a luxury. Every day the attacks on websites are getting more and more sophisticated.

My intention is not to alarm you, but I want to present the situation exactly as it is so you can make plans to improve your website security.

Beside these, WordPress as the most CMS platform is also leading CMS by the number of attacks!

This is compulsory reading for any WordPress website owner, so take notice! WordPress websites get hacked through

  • Hosting Service provider: The WP White Security informs us that 41% of the hacked websites take place because of the hosting provider. Some host service providers have security loopholes that hackers take opportunities of to hack a website.
  • Out-dated WordPress, Plugins and Themes Version: using out-dated WordPress files, themes and plugins is one of the most used vulnerability that hackers use to get the control of a website. A smart hacker can obtain lots of data by hacking plugins or themes that are not update. Collectively, this account for 51% of hacked WordPress websites. If you have heard about Panama papers, it is believed that behind this huge data loss is a vulnerable version of an extensively used plugin called Revolution Slider as reported by WordFence.
  • Weak Password: Almost 8% of websites are hacked due to weak passwords. Using strong password is a widely spread security tip known by almost everyone, so there should be no excuse for getting hacked this way. Hackers sometimes use sophisticated methods to steal your account credentials but sometimes they use brute-force i.e. they use extremely fast software solution try various combinations of username and password to enter your website. If you use admin as username, then you have made the work pretty easy for hackers.
  • Unsafe Computer: A website is still vulnerable even if the above loopholes have been covered. Another way WordPress Websites are hacked hackers used to break into a website is to infect the computer of the website admin with a virus. Periodically, an admin will check the website and can get hacked by the virus stored on the computer files.

The Golden rule of Website security says that “it is better to prevent than to clear”. It is therefore important to take proactive measures to assure a secure website or blog.

This is the end of the post, read carefully and make necessary adjustments where necessary. If you do then the chances of being hacked are low and you can fully focus on other aspects. Still website security is a dynamic field and you should stay updated all the time.

The Global WordPress Translation Day is Happening November 12th

Global WordPress Translation Day 2 is One full day dedicated to bringing WordPress to more people around the world. 24 hours of live training sessions on WordPress. It is is a day set aside to translate WordPress into one of more than 160 languages, learn more about translating WordPress, and meet people from all over the world. Translating is one of the easiest ways to get involved with WordPress and contribute to the project.

This will be the Day 2 of the Global WordPress Translation Day organized by the WordPress Polyglots team. So everyone is invited to participate from anywhere in the world. Join the Polyglot team on November 12th.

Join on November 12th from Anywhere in the World

The translation day starts on Saturday, November 12th, 2016, at 0:00 UTC and ends 24 hours later. Here in Nigeria, it starts by 01:00 am See what time that is for you! You can join right from the start, or any time it’s convenient for you throughout the day.

What are we doing?

It is a great way to get involved in WordPress, as Local contributor days are happening all over the world. I don’t know if there is any of such day in Nigeria and its time the WordPress community in Nigeria organize such local event.

Check out this map to see if there’s already a local event happening near you. Can’t find one? Organize a local event!

At the same time, you can still register to join the community for 24 hours of live-streamed, remote sessions in numerous languages. Sessions will cover localization, internationalization, and contributing in any local language.

Who’s it for?

The translation day is for anyone who wants to learn how to translate and experienced translation editor building a strong team. Developers will also enjoy topics from experienced contributors, whether you are learning about internationalization and or want to find more translators for your themes and plugins. There is a session for everyone!

Get Involved

Joining is easy! On November 12th, in your own timezone, translate WordPress or your favorite plugins and themes into your language, while watching live sessions over the course of the day.

Want to get more involved? Sign up to organize a local event and invite your local community to translate together on November 12th. Events can be formal or completely informal – grab your laptop and a couple of friends, and head to a good meeting point to translate for an hour or two.

Can you get involved if you only speak English?

Absolutely! Even if you only speak English, there are great sessions about internationalization that can benefit every developer. There are also lots of English variants that you can help with! For example, English is spoken and written differently in Australia, Canada, New Zealand, South Africa, England, Nigeria and the United Kingdom. You can learn about these differences and why these variants are important during the sessions.

And if you’re feeling fun, try translating WordPress into emoji! Yep, there is a translation of WordPress in emoji!


If you have any questions, the polyglots’ team and the event organizers hang out in #polyglots in Slack and are happy to help! (Get an invite to Slack at

Sign up to take part in the event on the official website.

Will I be involved? No I can’t. I have a training to attend that same day; I and my team will be training newbies how to design websites with WordPress. It gonna be cool if you attend this training.