New Vulnerabilities in 6 Popular WordPress Plugins
This entry was posted in WordPress Security on November 11, 2015 by Mark Maunder 44 Replies
This week we have several high profile plugin vulnerabilities we’d like to bring your attention to. If you are using one of these plugins, upgrade to the fixed version immediately.
Fast Secure Contact Form (400,000+ active installs) version 4.0.37 and earlier contain an XSS vulnerability that was publicly announced on October 27th. This was fixed in version 4.0.38. Upgrade immediately if you haven’t already. Note that this plugin is very popular with over 400,000 active installs.
Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability that was publicly announced 2 weeks ago. Please upgrade to the newest version which fixes the issue if you haven’t already.
Blubrry PowerPress podcasting plugin (50,000+ active installs) version 6.0.4 and earlier contains an XSS vulnerability publicly announced on October 27th. Upgrade as soon as possible.
Form Manager version (30,000+ active installs) 1.7.2 and earlier contain an unauthenticated remote command execution (RCE) vulnerability published on October 23rd. This was fixed in 1.7.3. Upgrade as soon as possible.
WordPress Files Upload (10,000+ active installs) version 3.4.0 and earlier allowed a malicious executable file to be uploaded and executed. This has been fixed in 3.4.1 which was released 13 days ago. Please upgrade immediately if you haven’t already.
Crony Cronjob Manager 0.4.4 (2000+ active installs) and earlier contained an XSS and CSRF vulnerability. The fix was released several weeks ago but it was publicly announced 15 days ago. If you haven’t upgraded this plugin, please do so immediately.
Kudos to Sathish from Cyber Security Works for discovering several of these vulnerabilities and the responsible disclosure.