Wordpress Vulnerabilities

WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and…

Read More

Plugins recent-backups wp-symposium google-mp3-audio-player db-backup wptf-image-gallery wp-ecommerce-shop-styling candidate-application-form wp-miniaudioplayer ebook-download ajax-store-locator-wordpress_0 hb-audio-gallery-lite simple-ads-manager revslider inboundio-marketing wpshop dzs-zoomsounds reflex-gallery wp-mobile-detector formcraft sexy-contact-form filedownload plugin-newsletter simple-download-button-shortcode pica-photo-gallery tinymce-thumbnail-gallery dukapress wp-filemanager history-collection s3bubble-amazon-s3-html-5-video-with-adverts simple-image-manipulator ibs-mappro image-export abtest wp-swimteam contus-video-gallery sell-downloads brandfolder thecartpress advanced-uploader aviary-image-editor-add-on-for-gravity-forms wp-post-frontend [redacted]* mdc-youtube-downloader document_manager paypal-currency-converter-basic-for-woocommerce justified-image-grid cherry-plugin aspose-cloud-ebook-generator gwolle-gb…

Read More

Ninja Forms <= 2.9.51 – Multiple Authenticated Cross-Site Scripting (XSS) Icegram <= 1.9.18 – Cross-Site Request Forgery (CSRF) WordPress Video Player <= 1.5.16 – Multiple Authenticated Blind SQL Injection WooCommerce <= 2.6.2 – Authenticated Cross-Site Scripting (XSS) Lazy Load <= 0.6 – Cross-Site Scripting (XSS) Source  WPScan and WPVULNDB

Read More

Dwnldr 1.0 – Unauthenticated Stored Cross-Site Scripting (XSS) Form Lightbox – Arbitrary Option Update Leading to Admin Account All in One SEO Pack <= 2.3.7 – Unauthenticated Stored Cross-Site Scripting (XSS) Woo Email Control <= 1.01 – Reflected Cross-Site Scripting (XSS) & CSRF Source  WPScan and WPVULNDB

Read More

Easy Forms for MailChimp <= 6.0.5.5 – Local File Inclusion (LFI) WP Fastest Cache <= 0.8.5.9 – Local File Inclusion (LFI) Profile Builder <= 2.4.0 – Reflected Cross-Site Scripting (XSS) Master Slider <= 2.7.1 – Reflected Cross-Site Scripting (XSS) Email Users <= 4.8.2 – Reflected Cross-Site Scripting (XSS) Source  WPScan…

Read More

WP Maintenance Mode <= 2.0.6 – Authenticated Multisite Remote Code Execution WP Maintenance Mode <= 2.0.6 – Subscriber Information Disclosure WP Maintenance Mode <= 2.0.6 – Missing Settings Authorization Aryo Activity Log <= 2.3.1 – Persistent Cross-Site Scripting WP Live Chat Support <= 6.2.01 – Persistent Cross-Site Scripting Source  WPScan…

Read More

From: Summer of Pwnage <lists () securify nl> Date: Sun, 10 Jul 2016 08:46:21 +0200 ———————————————————————— Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin ———————————————————————— David Vaartjes, July 2016 ———————————————————————— Abstract ———————————————————————— A stored Cross-Site Scripting vulnerability was found in the Bot Blocker functionality of the All…

Read More