Site icon MonstersPost

43 Dangerous WordPress Plugins Blacklisted by Sucuri in 2017

wordpress security

Despite being one of the most important aspects of website management, security is often overlooked, especially by newbie website owners. But you are not one of them, right? You use only premium WordPress themes, trusted plugins from WordPress.org, and never install any suspicious scripts.


Wrong

The pitfall is that even such giants as WooCommerce and BuddyPress sometimes receive vulnerable updates. It is extremely dangerous, as these plugins are used by millions of users, and such vulnerabilities can lead to massive hacker attacks targeted at thousands of websites at once.

Here is where WPScan Vulnerability Database comes to your aid. This is a regularly updated list of vulnerabilities found in WordPress themes, plugins and core files, which will help you detect potentially dangerous components on your website. WPScan Vulnerability Database is powered by Sucuri – an online platform offering security solutions for WordPress, Joomla, Drupal, Magento and many other CMSs.

We have scanned their database, picked the most recent vulnerabilities, and made them up into a convenient table, which you can see below.


Types of hazards

In this table, you will see the latest plugin vulnerabilities spotted by Sucuri starting from the beginning of 2017. If phrases like “Stored XSS” don’t ring any bells, here are some definitions to get you covered:

Stored XSS (also known as persistent XSS) occurs when a malicious script is injected directly into a vulnerable web application.

Reflected XSS occurs when a malicious script is reflected off of a website to a victim’s browser.


27 WordPress plugins that contain critical vulnerabilities as of 03/16/2017

Many of them haven’t been updated for several years, so better delete them completely from your websites, as simple deactivation of a plugin doesn’t always solve the problem.

Snippet Name of the plugin Version Issue Spotted on
alpine-photo-tile-for-instagram Alpine PhotoTile 1.2.7.6 Authenticated Reflected XSS 2017-03-03
anyvar AnyVar 0.1.1 Stored Cross-Site Scripting (XSS) 2017-03-06
404-redirection-manager 404 to 301 SEO Redirection 1.0 SQL Injection 2017-01-14
contact-form-manager Contact Form Manager 1.4.2 CSRF & Cross-Site Scripting (XSS) 2017-03-02
directdownload Direct Download for WooCommerce 1.15 Unauthenticated LFI 2017-01-18
download-manager Download Manager 2.9.45 Cross-Site Request Forgery (CSRF) 2017-03-03
dtracker Dtracker 1.5 Multiple Unauthenticated Blind SQL Injections 2017-03-09
easy-table Easy Table Authenticated Stored XSS 2017-02-20
global-content-blocks Global Content Blocks Cross-Site Request Forgery (CSRF) 2017-03-03
google-analytics-dashboard Google Analytics Dashboard Authenticated XSS 2017-03-02
google-mp3-audio-player CodeArt Google MP3 Player File Disclosure 2017-02-09
google-sitemap-generator Google XML Sitemaps 4.0.8 Authenticated Reflected XSS (via HOST header) 2017-03-03
kama-clic-counter Kama Click Counter Authenticated Blind SQL Injection 2017-02-28
mail-masta Mail Masta 1.0 Multiple SQL Injection 2017-02-23
mobile-app-builder-by-wappress WordPress Mobile app Builder 1.05 Unauthenticated File Upload 2017-03-08
mobile-friendly-app-builder-by-easytouch How to Create an App for Android iPhone Easytouch 3.0 Unauthenticated File Upload 2017-03-08
popup-by-supsystic Popup by Supsystic Cross-Site Request Forgery (CSRF) 2017-03-02
responsive-poll Responsive Poll 1.7.4 Cross-Site Scripting (XSS) 2017-01-11
rockhoist-badges Rockhoist Badges 1.2.2 Authenticated Stored XSS 2017-03-06
simple-ads-manager Simple Ads Manager Unauthenticated PHP Object Injection 2017-03-03
stats-counter Analytics Stats Counter Statistics Unauthenticated PHP Object Injection 2017-03-03
trust-form Trust Form Authenticated Reflected XSS 2017-03-03
user-login-log User Login Log Stored Cross-Site Scripting (XSS) 2017-03-02
webapp-builder Webapp builder 2.0 2.0 Unauthenticated File Upload 2017-03-08
wp-spamfree WP-SpamFree Anti-Spam Authenticated Reflected XSS 2017-03-02
wp2android-turn-wp-site-into-android-app Wp2android 1.1.4 Unauthenticated File Upload 2017-03-08
zen-mobile-app-native Mobile App Native 3.0 Remote File Upload 2017-03-01

16 WordPress plugins that need to be updated ASAP

These 16 plugins are used by 4+ million WordPress websites. The list includes WooCommerce, BuddyPress, VaultPress and other world-renowned extensions. Luckily, developers of popular plugins fix critical issues quickly, so make sure that all of your plugins are always up-to-date. Enable auto updates and regularly check if the plugins installed on your WordPress website are of the latest version.

Snippet Name of the plugin Version Issue Update to
buddypress BuddyPress 2.7.3 Arbitrary File Deletion 2.7.4
contact-form-plugin Contact Form by BestWebSoft 4.0.1 Stored Cross-Site Scripting (XSS) 4.0.2
chained-quiz Chained Quiz 0.9.8 Cross-Site Scripting (XSS) 0.9.9
cms-commander-client CMS Commander Client 2.21 Unauthenticated PHP Object Injection 2.22
formbuilder FormBuilder 1.0.7 Multiple Authenticated SQL Injection

Cross-Site Request Forgery (CSRF)

1.0.8
image-slider-widget Slider 1.1.89 Authenticated Arbitrary File Deletion 1.1.90
iwp-client InfiniteWP Client 1.6.0 Unauthenticated PHP Object Injection 1.6.1.1
magic-fields Magic Fields 1.7.1 Authenticated XSS 1.7.2
newstatpress NewStatPress 1.2.4 Stored Cross-Site Scripting (XSS) 1.2.5
nextgen-gallery NextGEN Gallery 2.1.77 Unauthenticated SQL Injection 2.1.79
stop-user-enumeration Stop User Enumeration 1.3.7 Unauthenticated Reflected XSS 1.3.8
vaultpress VaultPress 1.8.6 Backend Server SSL Verification Disabled 1.8.7
xcloner-backup-and-restore XCloner - Backup and Restore 3.1.4 Authenticated Path Traversal 3.1.5
wangguard WangGuard 1.7.2 Authenticated Reflected XSS 1.7.3
woocommerce WooCommerce 2.6.8 Authenticated Tax-Rate CSV XSS 2.6.9
wpgform Google Forms 0.87 Unauthenticated PHP Object Injection 0.91

Final Thoughts

Of course, you can't ensure absolute security of your website, but you can make it 99% secure, which is pretty much enough for any business :). All you need to do is update your themes and plugins promptly, keep your passwords in a safe place, and never trust other people regularly monitor user activity. Take the first step towards your peace of mind and grab a vulnerability-free WordPress theme from our collection.