wordpress vulnerabilities
- News, Security

WordPress Vulnerabilities: Core, Plugins & Themes Vulnerabilities Roundup for January 2017

 

In January 33 WordPress plugin vulnerabilities were reported, and 12 in WordPress core. Since we have been keeping a record of reported vulnerabilities, this has been the busiest month for WordPress core vulnerability. All these vulnerabilities are all a good sign, that WordPress is simply becoming a more secure software, as explained in Crunching the numbers, how secure WordPress is?

Below is the complete list of all the WordPress plugins and themes vulnerabilities reported in December 2016:

WordPress Vulnerabilities in Plugins

  • CSRF ad XSS vulnerabilities in ABASE plugin
  • Arbitrary file upload vulnerability in Seo Spy plugin
  • Arbitrary file upload vulnerability in PHP Analytics plugin
  • Arbitrary file upload vulnerability in Social plugin
  • Remote Code Execution (RCE) in Google Maps by Daniel Martyn plugin
  • Arbitrary file upload vulnerability in ChikunCounter plugin
  • Arbitrary File Upload Vulnerability in Developer Tools plugin
  • Unauthenticated PHP Object injection in CMS Commander Client plugin
  • Unauthenticated PHP Object injection in Google Forms plugin
  • Arbitrary File Upload vulnerability in DOP Slider plugin
  • CSRF and XSS vulnerabilities in Hupso Share Buttons for Twitter, Facebook & Google+ plugin
  • Open redirect vulnerability in moreAds SE
  • Reflected Cross-Site Scripting (XSS) Vulnerability in moreAds SE plugin
  • Information Disclosure Vulnerability in W3 Total Cache plugin
  • CSRF and XSS in Arigato Autoresponder and Newsletter plugin
  • Reflected Cross-Site Scripting (XSS) vulnerability in Event Notifier plugin
  • Remote Local File Inclusion in Direct Download for WooCommerce
  • Reflected Cross-Site Scripting (XSS) Vulnerability in WangGuard plugin
  • SQL Injection in 404 Redirection Manager
  • Reflected Cross-Site Scripting (XSS) Vulnerability in Super Socializer
  • Cross-Site Scripting (XSS) & CSRF in Responsive Poll plugin
  • Privilege Escalation in WP Support Plus Responsive Ticket System plugin
  • PHP Object Injection Vulnerability in Post Grid plugin
  • Username enumeration bypasses in Stop User Enumeration plugin
  • Cross-Site Scripting (XSS) in Chained Quiz plugin
  • Cross-site Scripting vulnerability in WooCommerce plugin
  • Authenticated Arbitrary File Deletion in Slider plugin
  • Authenticated Path Traversal in XCloner – Backup and Restore plugin
  • Authenticated Arbitrary File Deletion Vulnerability in BuddyPress
  • Information disclosure in Pike Firewall WordPress plugin

WordPress Vulnerabilities in Core

  • Unauthenticated privilege escalation in a REST API endpoint
  • Cross-Site Scripting (XSS) in posts list table
  • SQL Injection in WP_Query
  • Press This available to unauthorised users
  • Cross site request forgert (CSRF) in WordPress prior to 4.7.1
  • Information Disclosure in WordPress prior to 4.7.1
  • Cross-site request forgery (CSRF) in the accessibility mode of widget editing
  • Cross-site scripting (XSS) vulnerability via theme name fallback
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  • Cross-site scripting in update-core.php
  • User information disclosure in WordPress Rest API
  • Remote code execution vulnerability in PHPMailer (shipped with WordPress)

You can read the release notes of WordPress 4.7.1 for more information on the above mentioned WordPress vulnerabilities in Core that are not linked.

 

Source: WPWhiteSecurity

Leave a Reply