WordPress Vulnerabilities: Core, Plugins & Themes Vulnerabilities Roundup for January 2017


In January 33 WordPress plugin vulnerabilities were reported, and 12 in WordPress core. Since we have been keeping a record of reported vulnerabilities, this has been the busiest month for WordPress core vulnerability. All these vulnerabilities are all a good sign, that WordPress is simply becoming a more secure software, as explained in Crunching the numbers, how secure WordPress is?

Below is the complete list of all the WordPress plugins and themes vulnerabilities reported in December 2016:

WordPress Vulnerabilities in Plugins

  • CSRF ad XSS vulnerabilities in ABASE plugin
  • Arbitrary file upload vulnerability in Seo Spy plugin
  • Arbitrary file upload vulnerability in PHP Analytics plugin
  • Arbitrary file upload vulnerability in Social plugin
  • Remote Code Execution (RCE) in Google Maps by Daniel Martyn plugin
  • Arbitrary file upload vulnerability in ChikunCounter plugin
  • Arbitrary File Upload Vulnerability in Developer Tools plugin
  • Unauthenticated PHP Object injection in CMS Commander Client plugin
  • Unauthenticated PHP Object injection in Google Forms plugin
  • Arbitrary File Upload vulnerability in DOP Slider plugin
  • CSRF and XSS vulnerabilities in Hupso Share Buttons for Twitter, Facebook & Google+ plugin
  • Open redirect vulnerability in moreAds SE
  • Reflected Cross-Site Scripting (XSS) Vulnerability in moreAds SE plugin
  • Information Disclosure Vulnerability in W3 Total Cache plugin
  • CSRF and XSS in Arigato Autoresponder and Newsletter plugin
  • Reflected Cross-Site Scripting (XSS) vulnerability in Event Notifier plugin
  • Remote Local File Inclusion in Direct Download for WooCommerce
  • Reflected Cross-Site Scripting (XSS) Vulnerability in WangGuard plugin
  • SQL Injection in 404 Redirection Manager
  • Reflected Cross-Site Scripting (XSS) Vulnerability in Super Socializer
  • Cross-Site Scripting (XSS) & CSRF in Responsive Poll plugin
  • Privilege Escalation in WP Support Plus Responsive Ticket System plugin
  • PHP Object Injection Vulnerability in Post Grid plugin
  • Username enumeration bypasses in Stop User Enumeration plugin
  • Cross-Site Scripting (XSS) in Chained Quiz plugin
  • Cross-site Scripting vulnerability in WooCommerce plugin
  • Authenticated Arbitrary File Deletion in Slider plugin
  • Authenticated Path Traversal in XCloner – Backup and Restore plugin
  • Authenticated Arbitrary File Deletion Vulnerability in BuddyPress
  • Information disclosure in Pike Firewall WordPress plugin

WordPress Vulnerabilities in Core

  • Unauthenticated privilege escalation in a REST API endpoint
  • Cross-Site Scripting (XSS) in posts list table
  • SQL Injection in WP_Query
  • Press This available to unauthorised users
  • Cross site request forgert (CSRF) in WordPress prior to 4.7.1
  • Information Disclosure in WordPress prior to 4.7.1
  • Cross-site request forgery (CSRF) in the accessibility mode of widget editing
  • Cross-site scripting (XSS) vulnerability via theme name fallback
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  • Cross-site scripting in update-core.php
  • User information disclosure in WordPress Rest API
  • Remote code execution vulnerability in PHPMailer (shipped with WordPress)

You can read the release notes of WordPress 4.7.1 for more information on the above mentioned WordPress vulnerabilities in Core that are not linked.


Source: WPWhiteSecurity


Overview of WordPress Vulnerabilities in December 2016

In this December 2016 monthly roundup of WordPress core, plugins and themes reported vulnerabilities, very few WordPress plugins vulnerabilities were reported.

Overview of WordPress Plugins Vulnerabilities in December 2016

27 WordPress plugins vulnerabilities were discovered in December. Also in the month of December, the trend of plugins being removed from the WordPress repository still continues. It was noticed that that the number of plugins being taken offline from the WordPress repository is increasing. Plugins are taken offline when developers do not fix vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.

Below is the complete list of all the WordPress plugins a vulnerabilities reported in December 2016:

WordPress Plugins Vulnerabilities

  • CSRF security issue in Copy-Me plugin
  • SSRF vulnerability in Nelio AB Testing plugin
  • SQL Injection in Xtreme Locator Dealer Locator plugin
  • Blind Injection in ZM Gallery plugin
  • SQL Injection in WP Private Messages plugin
  • CSRF / Database Update vulnerability in ZX_CSV Upload plugin
  • SQL Injection in Single Personal Message plugin
  • SQL Injection in WP Support Plus Responsive Ticket System plugin
  • Authenticated Information Disclosure in Backup & Restore Dropbox plugin
  • Stored XSS and CSRF in Quiz and Survey Master plugin
  • Multiple SQL Injection and XSS vulnerabilities in Podlove Podcast Publisher
  • Reflected XSS vulnerability in MailChimp for WordPress plugin
  • Arbitraty File Upload vulnerability in Delete All Comments plugin
  • Reflected Cross-site Scripting in Social Pug – Easy Social Share Buttons plugin
  • CSRF vulnerability in Multisite Post Duplicator plugin
  • PHP Object Injection in BP Profile Search
  • CSRF & XSS vulnerabilities in Twitter Cards Meta plugin
  • Information Disclosure vulnerability in WooCommerce Email Test plugin
  • Arbitrary file deletion vulnerability in Image Slider plugin
  • Unauthenticated change of password critical security issue in Ultimate Member plugin
  • SQL Injection in WA Form Builder
  • SQL Injection vulnerability in Product Catalog plugin
  • Unauthenticated SQL Injection in BBS e-Franchise plugin
  • Local File Inclusion in WP Vault plugin

This vulnerabilities and security issues roundup is made possible through WP Security Bloggers.


November WordPress Vulnerabilities RoundUp

This is a monthly roundup of WordPress Vulnerabilities for the month of November. This monthly roundup takes care of all the vulnerabilities in WordPress plugins and themes reported during the month of November 2016. This roundup is made possible through Wp Security Bloggers, an aggregate of popular WordPress security blogs and websites that publish WordPress security news and updates. During November no WordPress vulnerabilities was reported in the WordPress core.

Overview of WordPress Vulnerabilities in November 2016

39 WordPress vulnerabilities in plugin were reported in November. That is the highest number of vulnerabilities ever recorded since July this year, when WP White Securities started recording these statistics.

There has also been an increasing trend in the number of plugins being taken offline from the WordPress repository. Plugins are taken offline when developers do not fix vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.

Below is the complete list of all the WordPress Vulnerabilities found in plugins and themes reported in November 2016:

WordPress Vulnerabilities in Plugins

WordPress Vulnerabilities in Themes


, ,

WordPress Security: How is WordPress Website Hacked?

Having your WordPress website hacked is one of the biggest nightmares for any website owner. From one moment to the next, your site is shut down. Traffic plummets and all the energy, effort, time, and money you put into your site is on the brink of being lost entirely.

As much as the developers behind WordPress and the entire WordPress community are working round the clock to make better and more secure versions of WordPress, the hackers are also trying by all means to find new vulnerabilities they can explore. Vulnerability is a weakness that allows attackers to compromise a product, in this case a website.

Getting backed your WordPress Website hacked is hard work, however, not as hard as winning back your audience’s trust or getting your site off spam blacklists.

While getting a WordPress Website hacked is never pleasant, it is much more common than you would think. The security of a website is not a luxury. Every day the attacks on websites are getting more and more sophisticated.

My intention is not to alarm you, but I want to present the situation exactly as it is so you can make plans to improve your website security.

Beside these, WordPress as the most CMS platform is also leading CMS by the number of attacks!

This is compulsory reading for any WordPress website owner, so take notice! WordPress websites get hacked through

  • Hosting Service provider: The WP White Security informs us that 41% of the hacked websites take place because of the hosting provider. Some host service providers have security loopholes that hackers take opportunities of to hack a website.
  • Out-dated WordPress, Plugins and Themes Version: using out-dated WordPress files, themes and plugins is one of the most used vulnerability that hackers use to get the control of a website. A smart hacker can obtain lots of data by hacking plugins or themes that are not update. Collectively, this account for 51% of hacked WordPress websites. If you have heard about Panama papers, it is believed that behind this huge data loss is a vulnerable version of an extensively used plugin called Revolution Slider as reported by WordFence.
  • Weak Password: Almost 8% of websites are hacked due to weak passwords. Using strong password is a widely spread security tip known by almost everyone, so there should be no excuse for getting hacked this way. Hackers sometimes use sophisticated methods to steal your account credentials but sometimes they use brute-force i.e. they use extremely fast software solution try various combinations of username and password to enter your website. If you use admin as username, then you have made the work pretty easy for hackers.
  • Unsafe Computer: A website is still vulnerable even if the above loopholes have been covered. Another way WordPress Websites are hacked hackers used to break into a website is to infect the computer of the website admin with a virus. Periodically, an admin will check the website and can get hacked by the virus stored on the computer files.

The Golden rule of Website security says that “it is better to prevent than to clear”. It is therefore important to take proactive measures to assure a secure website or blog.

This is the end of the post, read carefully and make necessary adjustments where necessary. If you do then the chances of being hacked are low and you can fully focus on other aspects. Still website security is a dynamic field and you should stay updated all the time.

, ,

Top 5 Useful Tools to Scan Websites for Virus and Malware Infection

Aside from periodically scanning our PCs for viruses, there is also a need to scan websites for virus or malware infection. A virus or malware infection of any website can have overwhelming consequences on the overall performance of the website, the hosting server and the site owner.

There are several websites offering useful tools online for webmasters to scan websites. These scans provide useful information and helpful security tips.

Some of these providers have also WordPress plugins to scan WordPress powered websites. These plugins will scan websites for malware, trojans, backdoors, worms, viruses, shells, spywares and other threats as well as JavaScript code obfuscation, exploits, malicious iframes, malicious code injection, malicious code obfuscation, auto-generated malicious content, redirects, hidden eval code and more.

Here are some of the top tools to scan websites

Sucuri Online Scan

Sucuri is a famous provider of website security solutions with specialization in WordPress. Their scanning tool works as a magnet to attract new customers. Obviously, it lets you know if your website is suffering from injected spam, defacements or malware. Sucuri has a WordPress plugin that can be easily installed and configured for use. It is a security suite meant to complement your existing security posture with seven key security features:

  1. Security Activity Audit Logging
  2. File Integrity Monitoring
  3. Remote Malware Scanning
  4. Blacklist Monitoring
  5. Effective Security Hardening
  6. Post-Hack Security Actions
  7. Security Notifications

Virus Total

VirusTotal is a simple tool to scan websites and it does a great job at that. It allows scanning a file or a URL and provides information about the viruses found. Using Virus Total is absolutely free. This great tool facilitate the quick detection of viruses, worms, Trojans and all kinds of malware on you website detected by website scanners and antivirus engines. VirusTotal is a subsidiary of Google. In spite of its simple design, behind this tool is an active community waiting for you to join them.


SpamHaus is a great security help for any type of website. It has two distinct tools: IP Address Lookup and Domain Lookup. The first tool is useful to determine if an IP address is associated with spam or illegal activities. It is called the SpamHaus Block List (SBL). The SBL is used both as a sender IP blocklist and as a URI blocklist. It is very effective as a URI blocklist. As example, if you noticed that an IP address attempted multiple times to login to your website you should check it and find additional information about.

The second tool, the Domain Lookup informs if your website is on their list of spam sources. I wish you to never be added on this list, but in case that you are, SpamHaus offers you information about how to resolve your security issues and finally, be erased from the list.


Quttera is another impressive free tool that should be used periodically to scan websites. It is a cloud based application that scans websites and generates scan reports. It checks URIs for suspicious scripts, malicious files and other threat hidden into legitimate contents on websites. It analyses a lot of files, therefore it takes some minutes before listing the result. Due to the multiple scan website being analysed simultaneously, it is possible to get a message requiring you to try the service later. It’s not Ok, but the services are free and top-quality, so a little bit of patience is golden!

The Quttera Web Malware Scanner plugin provided in the WordPress plugin repository scans your WordPress website for known and unknown malware and other suspicious activities.


Unlike the previous tools, this requires a subscription, but it’s similar in terms of efficiency and usefulness. Acunetix is a security leader and their online scan offers lots of precious information. It detects and reports a wide array of vulnerabilities in applications built on architectures such as WordPress, PHP, ASP.NET, Java Frameworks, Ruby on Rails and many others. Acunetix Vulnerability Scanner can be used to scan for vulnerable WordPress plugins and can also be used to conduct other WordPress specific configuration tests such as week WordPress admin passwords, username enumeration and WordPress configuration file disclosure. The Acunetix WordPress plugin identifies malicious plugins, themes and URL within website pages.

Do you use any other tools not mentioned here, please let me know so I also check them out.