This post was originally published on this site
This is a monthly roundup of all the vulnerabilities in WordPress plugins and themes reported during the month of November 2016. During November no WordPress core vulnerabilities were reported. This roundup is made possible through WP Security Bloggers, an aggregate of popular WordPress security blogs and websites that publish WordPress security news and updates.
Overview of WordPress Vulnerabilities in November 2016
In November 39 WordPress plugin vulnerabilities were reported. That is the highest number of vulnerabilities ever recorded since July this year, when we started recording these statistics. It is also quite surprising that we are still seeing fixes for vulnerabilities reported during the Summer of Pwnage, which took place during July 2016.
We are also noticing that the number of plugins being taken offline from the WordPress repository is increasing. Plugins are taken offline when developers do not fix the vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.
Below is the complete list of all the WordPress plugins and themes vulnerabilities reported in November 2016:
WordPress Plugins Vulnerabilities
CSRF vulnerability in Insert HTML Snippet plugin
HTML Injection in Gallery plugin
SQL Injection in Dukapress plugin
Reflected XSS in WP Whois Domain plugin
Stored Cross-site Scripting in Gallery – Image Gallery plugin
Cross-Site Request Forgery in Wp-D3 plugin
Unauthenticated SQL Injection in Olimometer plugin
SQL Injection in Post Indexer plugin
PHP Object Injection in Post Indexer plugin
SQL Injection & PHP Object Injection in Relevanssi Premium plugin
Authenticated XSS and CSRF in Instagram Feed plugin
Authenticated SQL Injection in Sirv plugin
Authenticated SQL Injection in FireStorm Shopping Cart eCommerce plugin
Authenticated SQL Injection in Mini Cart plugin
SQL Injection in Answer My Question plugin
Stored XSS vulnerability in WP Canvas – Shortcodes plugin
PHP Object Injection in Google Analytics Counter Tracker plugin
XSS vulnerability in All in One WP Security & Firewall plugin
Local File Inclusion in NextGen Gallery plugin
XSS and CSRF vulnerabilities in Gallery – Video Gallery plugin
Cross-site Scripting vulnerability in Lightbox plugin
Cross-site Scripting vulnerability in Check Email plugin
SQL Injection in WP eCommerce plugin
SQL Injection in WP Email plugin
Cross-site Scripting vulnerability in WP-Email plugin
Information disclosure race condition in W3 Total Cache plugin
Weak validation of Amazon SNS push messages in W3 Total Cache plugin
Persistent XSS via CSRF in WP Google Maps plugin
File deletion vulnerability in Post Grid plugin
XSS vulnerability in Calendar WordPress plugin
Persistent Cross-site Scripting in WassUp Rea Time Analytics plugin
Cross-site Scripting in Caldera Forms plugin
Reflected Cross-site Scripting in Quotes Collection plugin
Unauthenticated PHP Object Injection in YITH WooCommerce Compare plugin
Local File Inclusion in Sam Pro (Free Edition) plugin
Unauthenticated SSRF in W3 Total Cache Plugin
WordPress Themes Vulnerabilities
Cross-Site Request Forgery (CSRF) in PageLines Platform theme
The post November 2016 WordPress Core, Plugins & Themes Vulnerabilities Roundup appeared first on WP White Security.
Related posts:
August 2016 WordPress Core, Plugins & Themes Vulnerabilities Roundup
October 2016 WordPress Core, Plugins & Themes Vulnerabilities Roundup
September 2016 WordPress Core, Plugins & Themes Vulnerabilities Roundup