New Vulnerabilities in 6 Popular WordPress Plugins
This week we have several high profile plugin vulnerabilities we’d like to bring your attention to. If you are using one of these plugins, upgrade to the fixed version immediately.
Fast Secure Contact Form (400,000+ active installs) version 4.0.37 and earlier contain an XSS vulnerability that was publicly announced on October 27th. This was fixed in version 4.0.38. Upgrade immediately if you haven’t already. Note that this plugin is very popular with over 400,000 active installs.
Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability that was publicly announced 2 weeks ago. Please upgrade to the newest version which fixes the issue if you haven’t already.
Form Manager version (30,000+ active installs) 1.7.2 and earlier contain an unauthenticated remote command execution (RCE) vulnerability published on October 23rd. This was fixed in 1.7.3. Upgrade as soon as possible.
WordPress Files Upload (10,000+ active installs) version 3.4.0 and earlier allowed a malicious executable file to be uploaded and executed. This has been fixed in 3.4.1 which was released 13 days ago. Please upgrade immediately if you haven’t already.
Crony Cronjob Manager 0.4.4 (2000+ active installs) and earlier contained an XSS and CSRF vulnerability. The fix was released several weeks ago but it was publicly announced 15 days ago. If you haven’t upgraded this plugin, please do so immediately.
Kudos to Sathish from Cyber Security Works for discovering several of these vulnerabilities and the responsible disclosure.