New WordPress vulnerability checks week 40

The following three new WordPress plugin vulnerability checks has been added to WPScans. More than 21 new checks for Cross-Site Scripting, XSS, CSRF, backdoors and SQL-injections:

  • BackupGuard <= 1.1.46 – Authenticated Cross-Site Scripting (XSS)
  • WooCommerce Product Vendors Plugin <= 2.0.27 – Unauthenticated Reflected XSS
  • Participants Database <= 1.7.5.9 – Cross-Site Scripting
  • Display Widgets 2.6.0-2.6.3.1 – Backdoored
  • Pinfinity Theme <= 1.9.2 – Reflected Cross-site Scripting (XSS)
  • SmokeSignal <= 1.2.6 – Authenticated Stored XSS
  • WP Like Post <= 1.5.2 – Authenticated SQL Injection
  • SQL Shortcode <= 1.1 – Authenticated SQL Execution
  • WordPress 2.3.0-4.8.1 – $wpdb->prepare() potential SQL Injection
  • Responsive Image Gallery, Gallery Album <= 1.2.0 – Authenticated SQL Injection
  • VaultPress 1.89-1.9 – Unauthenticated RCE
  • Content Audit <= 1.9.1 – Cross-Site Scripting (XSS) & CSRF
  • Basic Contact Form <= 1.0.3 – Potential Unauthenticated Shell Upload
  • MarketPress <= 3.2.6 – PHP Object Injection
  • 2kb Amazon Affiliates Store <= 2.1.0 – Authenticated Cross-Site Scripting (XSS)
  • BackWPup <= 3.4.1 – Backup File Download
  • Student Result or Employee Database <= 1.6.3 – Auth Bypass
  • Content Timeline – Multiple Blind SQL Injection
  • Appointments <= 2.2.1 – PHP Object Injection
  • Flickr Gallery <= 1.5.2 – PHP Object Injection
  • RegistrationMagic-Custom Registration Forms <= 3.7.9.2 – Unauthenticated PHP Object Injection

Run your free scan at https://wpscans.com

Leave a Comment

Your email address will not be published. Required fields are marked *