This is a roundup of all the WordPress, WordPress plugins and theme vulnerabilities reported during the month of July 2016. This roundup is brought to you by WP Security Bloggers; an aggregate of popular WordPress security blogs and other security sources that publish WordPress security news and updates. Subscribe to the WP Security Bloggers daily or weekly newsletter to keep yourself up to date with what is happening in the WordPress security world.
Note: In July there were more vulnerabilities reported than usual because of the Summer of Pwnage Open Source Security Bug Hunt, a Dutch community program for everyone with interest in software security
WordPress Plugins Vulnerabilities
- Multiple vulnerabilities in login CAPTCHA of All In One WP Security & Firewall 4.1.2 Plugin
- Cross-site Scripting vulnerability in Yoast SEO 3.3.2
- Multiple stored Cross-site Scripting vulnerability vulnerabilities in Clicky by Yoast 1.4.3
- Reflected Cross-site Scripting vulnerability vin WP Polls 2.73
- Blind SQL Injection vulnerability in Ultimate Product Catalogue 3.9.8
- Reflected Cross-site Scripting vulnerability in Easy Forms for MailChim 6.1.2
- CSRF and Stored Cross-site Scripting vulnerability in Woo Custom Checkout Field
- Cross-site Scripting vulnerability in Code Snippets 2.6.1
- Cross-site Scripting vulnerability in Contact Form Email
- Cross-site Scripting vulnerability and Privilege Escalation in Lazy Load 0.6
- Cross-site Scripting vulnerability in Paid Memberships Pro 1.8.9.3
- Authenticated Cross-site Scripting vulnerability in WooCommerce 2.6.2
- Multiple SQL injection vulnerabilities in WordPress Video Player 1.5.16
- Cross-Site Request Forgery in Icegram 1.9.18
- Multiple Cross-Site Scripting vulnerabilities in Ninja Forms WordPress 2.9.51
- Reflected Cross-site Scripting vulnerability and CSRF vulnerabilities in Woo Email Control 1.0.1
- Stored Cross-site Scripting vulnerability in All in One SEO Pack 2.3.7
- Stored Cross-site Scripting vulnerability in dwnldr 1.0
- Display Name & Avatar Potential Cross-site Scripting vulnerability in BBPress 2.5.9
- Cross-site Scripting vulnerability in Simple Membership 3.2.8
- Cross-site Scripting vulnerability in Top 10 – Popular posts plugin for WordPress 2.3.0
- Cross-site Scripting vulnerability in WP No External Links 3.5.15
- Cross-site Scripting vulnerability in Google Forms 0.84
- Cross-site Scripting vulnerability in Post Duplicator 2.16
- Cross-site Scripting vulnerability in Email Users 4.8.2
- Reflective Cross-Site Scripting vulnerability in Master Slider – Responsive Touch Slider 2.7.1
- Cross-site Scripting vulnerability in Profile Builder – front-end user registration, user profile and user login 2.4.0
- Local File Inclusion vulnerability in WP Fastest Cache 0.8.5.9
- Local File Inclusion vulnerability in Easy Forms for MailChimp 6.0.5.5
- Cross-site Scripting vulnerability in Email Users 4.8.2
- Persistent Cross-Site Scripting in Activity Log 2.3.1
- Persistent Cross-Site Scripting in WP Live Chat Support 6.2.00
- Privilege Escalation and Path Traversal vulnerabilities in Squirrly SEO 6.1.4
- Remote Code Exectuion, Information Disclosure and Missing Authorization in WP Maintenance Mode 2.0.6
- Local File Inclusion vulnerability in Ultimate Member 1.3.64
- Persistent Cross-Site Scripting in All in One SEO Pack 2.3.61
- Multiple vulnerabilities in Real2D FlipBook
WordPress Theme Vulnerability
Note: Use the WordPress security glossary if you do not understand or would like to know more about a specific term used in any of the advisories.
WordPress Hosting, Firewall and Backup
WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service.
Leave a Reply