Vulnerability Roundup: 3 Vulnerable WP Plugins and Update Your Joomla

It’s been a tough week for the WP Statistics plugin. Last Friday, Sucuri (now owned by GoDaddy) discovered a SQL injection vulnerability in the WP Statistics plugin version 12.0.7 and older. To exploit the vulnerability, an attacker needs to register an account (or use a compromised account) with subscriber-level access. They can then exploit a weakness in a WP Statistics shortcode to launch a SQL injection attack. This allows them to, for example, create an admin-level user and sign in to your website as an admin.

Then, 2 days ago Ryan Dewhurst discovered a cross site scripting vulnerability in the same plugin, which was fixed within a few hours of discovery.

Over 300,000 websites use WP Statistics. If you use the plugin, you should immediately update to version 12.0.9 which fixes both of these vulnerabilities.

Wordfence includes built-in protection against SQL injection attacks and cross site scripting (XSS) attacks. As a precautionary measure, we’ve released an additional rule to our Wordfence Premium customers in real-time to protect them against the specific SQL injection attack that targets this plugin.

Other WordPress Vulnerabilities You Should Be Aware Of

The All-in-One WP Migration plugin for WordPress reportedly suffered from a cross site scripting vulnerability which was fixed about 6 weeks ago. Wordfence free and Premium has built-in XSS protection, as mentioned above, so even if you were running the vulnerable plugin, you would have been safe. Nevertheless, if you haven’t already, we recommend you update to 6.51, the newest version of All-in-One WP Migration.

A few weeks ago, a reflected cross site scripting vulnerability was discovered in the WordPress Download Manager plugin versions 2.9.51 and older. We suggest you update to 2.9.53, which is the newest version of this plugin. Wordfence also protects against this exploit (free and Premium).

Don’t Forget to Update Your Joomla Installations

Joomla released a security update 48 hours ago which fixes three vulnerabilities. The new release is Joomla 3.7.3 and includes fixes for two XSS vulnerabilities and an information disclosure vulnerability. If you run Joomla on your website, you can visit to run a quick scan on your Joomla site and find out if you are vulnerable and need to take action. Details on the release can be found on and we also mentioned this update on the Gravityscan blog.

That’s all for today’s updates. As always, I’ll be around to reply to your comments if needed.

Did you enjoy this post? Share it!


  • I'm really impressed with WordFence's sense of community spirit. Not only in providing details of vulnerabilities and solutions to issues that relate specifically to WordPress, but also to general IT security issues and even concerns related to other CMS platforms like Joomla!
    Well done WordFence!

    • Agree! Great sense of community and security. Most of developers like me, uses Joomla and Wordpress,

    • I agree also, this is very nice work!

    • I, too, am very impressed and appreciative as someone who uses WordPress and Joomla on many sites. Thank you, Wordfence!

    • Agree! They are just awesome. They are the only one in my regular inbox. Thanks wordfence :)

  • My rule of thumb these days, is use as few plugins as possible, update asap, review as needed. If they become outdated, remove completely. Stay safe.

  • We use Wordfence for all our clients website projects and website security

  • Since I started using WordFence, I have less worries about WordPress security issues. I am hoping that one day WordFence will launch into other CMS like Joomla. Great job team, keep up the good work!

  • Security of Wordpress sites need secure plugins, the major door entrance of hacking attempts. On this matter, I am sure that if I didn't have Wordfence on my sites, probably they wouldn't be up and malware free as they are. And your posts are always on top of information about new threats , thanks for your public service.

  • Really appreciate the updates and security news.

  • Always impressed by your team. Keep up the good work.

    I am not impressed with WordPress. They should have more systems in place to stop Plugins from being distributed via their website that could harm others.

    There should be a Wordfence gate they have to pass. :)

    • These issues were newly discovered vulnerabilities. It's impossible to test for an unknown vulnerability until it becomes known. Wordpress also does a decent job of notifying people about issues once they surface.

      But certainly the care with which Wordfence provides updates and advice gives me confidence that my money spent on their products and services is money well spent.