Dangerous Plugins

<h1 class="entry-title">Hacked, dangerous &#038; vulnerable WordPress plugins

With over 47 thousand plugins in the official WordPress repository and thousands more available on various other marketplaces and sites, finding those that work well is a daunting task. Finding WordPress plugins that are secure and won't endanger your site is an even harder task due to the complex nature of WordPress security and often massive plugins with thousands of lines of code.

Although we can't help you avoid every single bad plugin, we can pinpoint those who have known, confirmed vulnerabilities and security issues. Unless you know what you're doing, you're testing something on a local installation, or you're into WordPress security, you should not use the dangerous plugins listed below on production sites. Problems explained in the table below are well known and documented, making it easy for anyone with bad intentions to exploit those security holes and attack your site.

By listing plugins on this page, we mean no disrespect to them or their authors! We only want to warn users not to install specific versions that have known security issues. If you feel your plugin has been listed by fault or need help updating it, please contact us.

How to use this page and the list of vulnerable plugins?

If you're using any of the listed plugins, double-check the version number and confirm that it's the one with known problems. If so – remove the plugin immediately! This includes deactivating it and deleting. Not just deactivating. You can also contact the author and ask him if the problems have been fixed and if not urge him to do so.

 

Vulnerability types

A quick reminder of the most common security holes and issues WordPress plugins face. Please note that most problems are a combination of two or more types listed below.

Arbitrary file viewing
Instead of allowing only certain file source to be viewed (for example plugin templates) the lack of checks in the code allows the attacker to view the source of any file, including those with sensitive information such as wp-config.php

Arbitrary file upload
Lack of file type and content filtering allows for upload of arbitrary files that can contain executable code which, once run, can do pretty much anything on a site

Privilege escalation
Once the attacker has an account on the site, even if it's only of the subscriber type, he can escalate his privileges to a higher level, including administrative ones.

SQL injection
By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.

Remote code execution (RCE)
Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.

List of hacked, dangerous & vulnerable WordPress plugins

Plugin Name Vulnerability Type Min / Max Versions Affected
1 Flash Gallery XSS in ZeroClipboard.swf 1.9.0 / n/a
2 Click Socialmedia Button Cross Site Scripting 0.34 / n/a
360 Product Rotation arbitrary file upload 1.1.3 / 1.2.0
3bubble Amazon S3 Html 5 Video With Adverts Arbitrary File Do… 0.7 / n/a
404 To 301 Unauthenticated Stored Cross-Site Scripting (XSS) 2.3.0 / 2.3.1
Tevolution arbitrary file upload 2.0 / 2.2.9
A To Z Category Listing SQL Injection 1.3 / n/a
Ab Google Map Travel CSRF/Stored XSS 3.4 / 4.0
Accurate Form Data Real Time Form Validation Cross-Site Scripting (XSS) & CSRF 1.2 / n/a
Acf Frontend Display Arbitrary File Upload 2.0.5 / n/a
Acurax Social Media Widget Authenticated Stored Cross-Site S… 2.2 / 2.3
Ad Buttons CSRF & XSS 2.3.1 / n/a
Ad Inserter Authenticated Cross-Site Scripting (XSS) 1.5.5 / 1.5.6
Add From Server Cross-Site Request Forgery (CSRF) 3.3.1 / 3.3.2
Add Link To Facebook Authenticated Cross-Site Scripting (XSS) 2.2.7 / 2.2.8
Addblockblocker arbitrary file upload 0.0.1
Addthis Authenticated Cross-Site Scripting (… 5.0.12 / 5.0.13
Admin Font Editor Unauthenticated Reflected Cross-Site Scriptin… 1.8 / n/a
Admin Management Xtended Privilege Escalation 2.4.0 / 2.4.0.1
Admin Pack By Site Caseiro Authenticated Stored Cross-Site Scri… 1.1 / n/a
Adplugg Stored Cross-Site Scripting (XSS) 1.1.33 / 1.1.34
Adrotate clicktracker.php track Parameter SQL Injection 3.9.4 / 3.9.5
Ads Widget remote code execution (RCE) 2.0 / n/a
Advanced Access Manager Privilege Escalation 3.2.1 / 3.2.2
Advanced Ajax Page Loader arbitrary file upload 2.5.7 / 2.7.6
Advanced Custom Fields Remote File Inclusion 3.5.1 / 3.5.2
Advanced Custom Fields Table Field Stored Cross-Site Script… 1.1.12 / 1.1.13
Advanced Dewplayer dewplayer.php Direct Request Path Disclosure… 1.2 / n/a
Advanced Text Widget Cross Site Scripting 2.0.0 / n/a
Advanced Video Embed Embed Videos Or Playlists arbitrary file viewing n/a / 1.0
Advertizer SQL Injection 1.0 / n/a
Age Verification Open Redirect 0.4 / n/a
Ajax Load More Local File Inclusion (LFI) 2.11.1 / 2.11.2
Ajax Random Post Unauthenticated Reflected Cross-Site Scriptin… 2.00 / n/a
Ajax Search Lite Authenticated RCE 3.1 / 3.11
Ajax Search Pro Cross-Site Request Forgery (CSRF) Add User 3.5 / 4.0
Ajax Store Locator Remote SQL Injection 1.2 / n/a
Ajaxgallery SQL Injection 3.0 / n/a
Albo Pretorio On Line Multiple Vulnerabilities 3.2 / 3.3
All In One Seo Pack Unauthenticated Stored Cross-Site Script… 2.3.7 / 2.3.8
All In One Wp Migration Unauthenticated Database Export 2.0.4 / 2.0.5
All In One Wp Security And Firewall Cross-Site Scripting (XSS) 4.2.1 / 4.2.2
Allow Php In Posts And Pages SQL Injection 2.0.0.RC2 / 2.1.0
Allwebmenus WordPress Menu Plugin Shell Upload 1.1.9 / n/a
Alo Easymail Cross-Site Request Forgery (CSRF) 2.9.2 / 2.9.3
Alpine Photo Tile For Instagram Authenticated Cross-Site Scr… 1.2.7.5 / 1.2.7.6
Altos Connect Unauthenticated Cross-Site Scripting (XSS) 1.3.0 / n/a
Analytics Counter Unauthenticated PHP Object I… 3.4.0 / 3.5.0
Another WordPress Classifieds Plugin Unspecified Image Upload 1.8.9.4 / 2.0
Anti Plagiarism Unauthenticated Reflected Cross-Site Scripting… 3.60 / n/a
Appointment Booking Calendar SQL Injection 1.1.24 / 1.1.25
Aryo Activity Log Cross-Site Scripting (XSS) in 'page' 2.3.2 / 2.3.3
Aspose Cloud Ebook Generator arbitrary file viewing 1.0
Aspose Doc Exporter arbitrary file viewing 1.0
Aspose Importer Exporter arbitrary file viewing 1.0
Aspose Pdf Exporter arbitrary file viewing 1.0
Attachment Manager arbitrary file upload 1.0.0 / 2.1.1
Auto Attachments arbitrary file upload 0.2.7 / 0.3
Auto Thickbox Plus Reflected Cross-Site Scripting (XSS) 1.9 / n/a
Avenirsoft Directdownload Cross-Site Scripting (XSS) & CSRF 1.0 / n/a
Aviary Image Editor Add On For Gravity Forms Unauthenticate… 3.0beta / n/a
Awesome Filterable Portfolio Authenticated Blind SQL Injection 1.8.6 / 1.9
Backup Arbitrary File Upload 1.0.2 / 1.0.3
Backupwordpress RFI 0.4.2b / 0.4.3
Bad Behavior Cross-Site Scripting (XSS) 2.2.4 / 2.2.5
Banner Effect Header Cross-Site Scripting (XSS) 1.2.7 / 1.2.8
Bbpress Display Name & Avatar Potential Cross-Site Scripting … 2.5.9 / 2.5.10
Bbpress Like Button SQL injection 1.0 / 1.5
Bepro Listings arbitrary file upload 2.0.54 / 2.2.0020
Better Search Reflective XSS 1.3.4 / 1.3.5
Better Wp Security Unauthenticated Stored Cross-Site Scripting … 5.6.1 / 5.6.2
Bird Feeder CSRF & XSS 1.2.3 / n/a
Bj Lazy Load Remote File Inclusion (Timthumb) 0.7.5 / 1.0
Blaze Slide Show For WordPress arbitrary file upload 2.0 / 2.7
Booking SQL Injection 6.2 / 6.2.1
Booking Calendar Contact Form Multiple Authenticated Vulnerab… 1.0.2 / 1.0.3
Booking System Authenticated Blind SQL Injection 2.0 / 2.1
Bookings controlpanel.php error Parameter XSS 1.8.2 / 1.8.3
Bookmarkify Cross-Site Scripting (XSS) & CSRF 2.9.2 / n/a
Bp Code Snippets XSS in ZeroClipboard 2.0 / n/a
Bp Profile Search PHP Object Injection 4.5.3 / 4.6
Braftonwordpressplugin Reflected XSS 3.4.7 / 3.4.8
Brandfolder File Inclusion 3.0 / 3.0.1
Breadcrumbs Ez remote code execution (RCE) n/a
Broken Link Checker Unauthenticated Stored XSS 1.10.8 / 1.10.9
Broken Link Manager Unauthenticated Stored Cross-Site Scripti… 0.5.5 / 0.6.0
Buckets XSS in ZeroClipboard 0.1.9.2 / n/a
Buddypress Authenticated Privilege Escalation 2.3.4 / 2.3.5
Buddypress Activity Plus Cross-Site Request Forgery (CSRF) 1.5 / 1.6.2
Bulk Delete Privilege Escalation 5.5.3 / 5.5.4
Bulletproof Security Multiple XSS Vulnerabilities .53.3 / .53.4
Calculated Fields Form SQL Injection via CSRF 1.0.10 / 1.0.12
Caldera Forms Cross Site Scripting 1.3.5.3 / 1.4.2
Calendar Cross Site Scripting 1.3.7 / 1.3.8
Candidate Application Form Arbitrary File Download 1.0 / n/a
Captcha Captcha Bypass 4.0.6 / 4.0.7
Car Rental System SQL Injection 3.0 / 3.1
Cardoza Ajax Search SQL Injection 1.3 / 1.4
Cardoza WordPress Poll Multiple External Function Remote Poll… 34.05 / 34.06
Cart66 Lite SQL Injection 1.5.3 / 1.5.4
Catablog Cross Site Scripting 1.6 / n/a
Category Grid View Gallery arbitrary file upload 0.1.0 / 0.1.1
Cforms Remote Code Execution via Unauthorised File … 14.7 / n/a
Chained Quiz Cross-Site Scripting (XSS) 0.9.8 / 0.9.9
Chat Cross-Site Scripting (XSS) in 'message' Parameter 1.0.8 / 1.0.8.1
Check Email Cross-Site Scripting (XSS) 0.5 / 0.5.1
Cherry Plugin arbitrary file upload 1.0 / 1.2.6
Chikuncount arbitrary file upload 1.3
Church Admin Stored Cross-Site Scripting (XSS) 0.800 / 0.810
Cimy User Manager Arbitrary File Disclosure 1.4.2 / 1.4.4
Cip4 Folder Download Widget arbitrary file viewing 1.4 / 1.10
Citizen Space Reflected Cross-Site Scripting (XSS) 1.1 / n/a
Ckeditor For WordPress Authenticated Reflected Cross-Site Scr… 4.5.3 / 4.5.3.1
Claptastic Clap Button Authenticated Cross-Site Scripting (XSS) 1.3 / n/a
Clean And Simple Contact Form By Meg Nicholas Cross-Site Scripting (XSS) 4.4.0 / 4.4.1
Cleantalk Spam Protect Unauthenticated Reflected Cross-Site Sc… 5.21 / 5.22
Cleeng XSS in ZeroClipboard 2.3.2 / n/a
Click To Copy Grab Box XSS in ZeroClipboard 0.1.1 / n/a
Clickbank Ads Clickbank Widget CSRF/XSS 1.7 / n/a
Clicky Minor Security Improvements 1.5 / 1.6
Cloudflare Cross-Site Scripting (XSS) 1.3.20 / 1.3.21
Cm Ad Changer Stored Cross-Site Scripting (XSS) 1.7.7 / 1.7.8
Cm Download Manager XSS & CSRF 2.0.6 / 2.0.7
Cms Commander Client Unauthenticated PHP Object Injection 2.21 / 2.22
Code Snippets Authenticated Reflected Cross-Site Scripting (XSS) 2.6.1 / 2.7.0
Codestyling Localization Cross Site Scripting 1.99.17 / 1.99.20
Collision Testimonials SQL Injection 3.0 / n/a
Commentator Reflected Cross-Site Scripting (XSS) 2.5.2 / 2.5.3
Community Events SQL Injection 1.3.5 / 1.4
Connections Reflected Cross-Site Scripting (XSS) 8.5.8 / 8.5.9
Contact Bank Cross-Site Scripting (XSS) 2.1.21 / 2.1.23
Contact Form 7 File Upload Remote Code Execution 3.5.2 / 3.5.3
Contact Form 7 To Database Extension Cross-Site Request Forgery (CSRF) 2.8.29 / 2.8.32
Contact Form Builder Authenticated Blind SQL Injection 1.0.24 / 1.0.25
Contact Form Generator Multiple Cross-Site Request Forgery (C… 2.0.1 / n/a
Contact Form Maker Authenticated Blind SQL Injection 1.7.30 / 1.7.31
Contact Form Manager Authenticated Reflected Cross-Site Scrip… 1.4.1 / 1.4.2
Contact Form Plugin Stored Cross-Site Scripting (XSS) 4.0.1 / 4.0.2
Contact Form To Email Authenticated Reflected Cross-Site Scr… 1.1.47 / 1.1.48
Contact Form WordPress SQL Injection 2.7.5 / n/a
Content Slide CSRF & Stored XSS 1.4.2 / n/a
Contus Hd Flv Player SQL Injection 1.3 / n/a
Contus Video Gallery Unprotected Mail Page 2.8 / n/a
Cookie Eu remote code execution (RCE) 1.0
Cool Video Gallery Authenticated Comm& Injection 1.9 / 2.0
Copy In Clipboard XSS in ZeroClipboard 0.8 / n/a
Copyright Licensing Tools SQL Injection 1.1.4 / n/a
Count Per Day Authenticated Reflected Cross-Site Scripting (XSS) 3.5.4 / 3.5.5
Coupon Code Plugin XSS in ZeroClipboard 2.1 / n/a
Couponer SQL Injection 1.2 / n/a
Cp Contact Form With Paypal Multiple Vulnerabilities 1.1.5 / 1.1.6
Cp Image Store Purchase ID Brute Force Prevention 1.0.6 / 1.0.7
Cp Multi View Calendar Unauthenticated SQL Injection 1.1.7 / 1.1.8
Cp Polls Multiple XSS Vulnerabilities 1.0.8 / 1.0.9
Cp Reservation Calendar Unauthenticated SQL Injection 1.1.6 / 1.1.7
Crawlrate Tracker SQL Injection 2.0.2 / n/a
Crayon Syntax Highlighter Local File Disclosure 2.6.10 / 2.7.0
Crazy Bone Unauthenticated Stored Cross-Site Scripting (XSS) 0.5.5 / 0.6.0
Crony Cross-Site Scripting (XSS) & CSRF 0.4.4 / 0.4.6
Cross Rss arbitrary file viewing 0.5
Crossslide Jquery Plugin For WordPress Stored XSS & CSRF 2.0.5 / n/a
Csv2wpec Coupon Unauthenticated Remote File Upload 1.1 / n/a
Cta Reflected Cross-Site Scripting (XSS) 2.4.3 / 2.5.1
Custom Contact Forms Cross Site Scripting 5.0.0.1 / n/a
Custom Content Type Manager Remote Code Execution 0.9.8.5 / 0.9.8.6
Custom Field Suite Insufficient Authorisation 2.4 / 2.4.1
Custom Metas Cross-Site Scripting (XSS) 1.5.1 / n/a
Cysteme Finder Unauthenticated LFI and Unauthenticated File Upload 1.3 / 1.4
Database Sync Reflected Cross-Site Scripting (XSS) 0.4 / 0.5
Db Backup Path Traversal File Access 4.5 / n/a
Deans Fckeditor With Pwwangs Code Plugin For WordPress Remote Shell Upload 1.0.0 / n/a
Defa Online Image Protector Unauthenticated Reflected Cross-Sit… 3.3 / n/a
Delete All Comments arbitrary file upload 2.0
Developer Tools arbitrary file upload 1.0.0 / 1.1.4
Dewplayer Flash Mp3 Player dewplayer.php Direct Request Path Disclosure Weakness 1.2 / n/a
Directdownload Unauthenticated LFI 1.15 / n/a
Disclosure Policy Plugin remote file inclusion (RFI) 1.0
Display Widgets Authenticated Cross-Site Scripting (XSS) 2.03 / 2.04
Disqus Comment System Cross-Site Scripting (XSS) & CSRF 2.75 / 2.76
Dop Slider arbitrary file upload 1.0
Double Opt In For Download Authenticated SQL Injection 2.0.9 / 2.1.0
Download Manager Multiple Vulnerabilities 2.8.7 / 2.8.8
Download Monitor Cross-Site Scripting (XSS) 1.7.0 / 1.7.1
Download Zip Attachments Arbitrary File Download 1.0 / n/a
Downloads Manager arbitrary file upload 1.0 Beta / 1.0 rc-1
Dp Thumbnail arbitrary file upload 1.0
Dropbox Backup PHP object injection 1.0 / 1.4.7.5
Drp Coupon XSS in ZeroClipboard 2.1 / n/a
Dukapress Unauthenticated Blind SQL Injection 2.5.9 / 2.5.9.1
Duplicator Cross-Site Request Forgery (CSRF) 1.1.3 / 1.1.4
Dw Question Answer Stored Cross-Site Scripting (XSS) 1.4.2.2 / 1.4.2.3
Dynamic Widgets Authenticated Cross-Site Scripting (XSS) 1.5.10 / 1.5.11
Dzs Videogallery Multiple Vulnerabilities 8.60 / n/a
Dzs Zoomsounds Remote File Upload 2.0 / n/a
E Search Unauthenticated Reflected Cross-Site Scripting (XSS) 1.0 / n/a
Easing Slider 2 x Cross-Site Scripting (XSS) 2.2.0.6 / 2.2.0.7
Easy Coming Soon Authenticated Stored Cross-Site Scripting (XSS) 1.8.1 / 1.8.2
Easy Contact Form Lite SQL Injection 1.0.7 / n/a
Easy Digital Downloads PHP Object Injection 2.5.7 / 2.5.8
Easy Media Gallery Cross Site Scripting (XSS) 1.3.47 / 1.3.50
Easy Photo Album Album Information Disclosure 1.1.5 / 1.1.6
Easy Pie Coming Soon Authenticated Cross-Site Scripting (XSS) 1.0.0 / 1.0.1
Easy Social Icons Authenticated SQL Injection 1.2.3.1 / 1.2.4
Easy Social Share Buttons For WordPress Cross-Site Scripting (XSS) 3.2.5 / 3.5
Easy Table Authenticated Cross-Site Scripting (XSS) 1.5.2 / 1.5.3
Easy Testimonials Authenticated Stored Cross-Site Scripting … 1.36.1 / 1.37
Easy2map Local File Inclusion 1.2.9 / 1.3.0
Easy2map Photos SQL Injection 1.0.9 / 1.1.0
Ebook Download arbitrary file viewing 1.1
Echosign Reflected Cross-Site Scripting (XSS) 1.1 / 1.2
Ecstatic arbitrary file upload 0.90 (x9) / 0.9933
Ecwid Shopping Cart Unauthenticated PHP Object Inje… 4.4.3 / 4.4.4
Ed2k Link Selector XSS in ZeroClipboard 1.1.7 / n/a
Elisqlreports Authenticated Arbitrary Code Execution 4.11.33 / 4.11.37
Email Encoder Bundle Unauthenticated Cross-Site Scripting (XSS) 1.4.1 / 1.4.2
Email Newsletter Authenticated Cross-Site Scripting (XSS) 20.13.6 / n/a
Email Subscribers Multiple XSS & SQLi 2.9 / 2.9.1
Email Users Cross-Site Request Forgery (CSRF) 4.8.3 / 4.8.4
Embed Articles CSRF & Stored XSS 7.0.3 / n/a
Enable Google Analytics remote code execution (RCE) n/a
Enable Media Replace Multiple Vulnerabilities 2.3 / 2.4
Encrypted Contact Form CSRF & XSS 1.0.4 / 1.1
Enhanced Tooltipglossary XSS 3.3.4 / 3.3.5
Erident Custom Login And Dashboard Unspecified CSRF 3.4.1 / 3.5
Eshop Remote Code Execution 6.3.11 / 6.3.12
Estatik arbitrary file upload 1.0.0 / 2.2.5
Evarisk SQL Injection 5.1.3.6 / n/a
Event Commerce Wp Event Calendar persistent cross-site scripting (XSS) 1.0
Event Registration SQL Injection 5.44 / n/a
Events Made Easy Cross-Site Scripting (XSS) 1.6.20 / 1.6.21
Ewww Image Optimizer Remote Code Execution 2.8.3 / 2.8.4
Ez Portfolio Multiple Cross-Site Scripting (XSS) 1.0.1 / 1.0.2
Ezpz One Click Backup Unauthenticated Comm& Execution 12.03.10 / n/a
Facebook Opengraph Meta Plugin SQL Injection 1.0 / n/a
Facebook Page Photo Gallery DOM Cross-Site Scripting (XSS) 2.0.9 / n/a
Faq Wd Cross-Site Scripting (XSS) 1.0.14 / 1.0.17
Fast Image Adder Unauthenticated Remote File Upload 1.1 / n/a
Favicon By Realfavicongenerator Cross-Site Scripting (XSS) 1.2.12 / 1.2.13
Fbpromotions SQL Injection 1.3.3 / n/a
Feedweb Cross-Site Scripting (XSS) 1.8.8 / 1.9
Feedwordpress XSS & SQL-Injection 2015.0426 / 2015.0514
File Groups SQL Injection 1.1.2 / n/a
Filedownload arbitrary file viewing 0.1
Flash Album Gallery Full Path Disclosure 4.24 / 4.25
Flickr Justified Gallery Reflected Cross-Site Scripting (XSS) 3.3.6 / 3.4.0
Floating Social Bar Cross-Site Scripting (XSS) 1.1.5 / 1.1.7
Floating Social Media Icon Authenticated Stored Cross-Site Scri… 2.1 / 2.2
Floating Social Media Links fsml-admin.js.php wpp Parameter R… 1.4.2 / 1.4.3
Fluid Respnsive Slideshow CSRF & XSS 2.2.6 / n/a
Font Authenticated Path Traversal 7.5 / 7.5.1
Foobox Image Lightbox Cross-Site Scripting (XSS) 1.0.4 / 1.0.5
Form Lightbox option update 1.1 / 2.1
Formbuilder Multiple Authenticated SQL Injection 1.0.7 / 1.0.8
Formidable Authenticated Blind SQL Injection 1.07.11 / 2.0
Forum Server wpf-insert.php edit_post_id Parameter SQL Inj… 1.7.3 / 1.7.4
Fossura Tag Miner Cross-Site Request Forgery (CSRF) 1.1.2 / 1.1.5
Freshmail Newsletter shortcode.php SQL Injection 1.5.8 / 1.6
Front End Upload Arbitrary File Upload 0.5.4.4 / 0.5.4.5
Front File Manager arbitrary file upload 0.1
Frontend Uploader Cross Site Scripting (XSS) 0.9.2 / n/a
Fs Real Estate Plugin SQL injection 1.1 / 2.06.03
Fv WordPress Flowplayer Authenticated Stored Cross-Site Scr… 6.0.3.3 / 6.0.3.4
G Translate remote code execution (RCE) 1.0 / 1.3
G Web Shop ajax_file_cut.php selectedDoc Parameter Remo… 2.2.3 / 2.2.4
Gallery Bank Authenticated Blind SQL Injection 3.0.229 / 3.0.330
Gallery By Supsystic Authenticated Stored Cross-Site Sc… 1.8.5 / 1.8.6
Gallery Images Stored Cross-Site Scripting (XSS) 2.0.5 / 2.0.6
Gallery Objects SQL Injection 0.4 / n/a
Gallery Slider remote code execution (RCE) 2.0 / 2.1
Gd Bbpress Attachments Authenticated Reflected Cross-Site Scrip… 2.2 / 2.3
Gd Star Rating Cross-Site Scripting (XSS) 1.9.16 / n/a
Genesis Simple Defaults arbitrary file upload 1.0.0
Geo Mashup Cross-Site Scripting (XSS) 1.8.2 / 1.8.3
Geshi Source Colorer XSS in ZeroClipboard 0.13 / n/a
Ghost Unrestricted Export Download 0.5.5 / 0.5.6
Gi Media Library Arbitrary File Download 2.2.2 / 3.0
Gigpress Authenticated XSS & Blind SQLi 2.3.10 / 2.3.11
Global Content Blocks SQL Injection 1.2 / n/a
Gocodes Authenticated XSS & Blind SQL Injection 1.3.5 / n/a
Godaddy Email Marketing Sign Up Forms Cross-Site Request Forgery (CSRF) 1.1.3 / 1.1.4
Google Adsense And Hotel Booking Open Proxy 1.05 / n/a
Google Analyticator Multiple Cross-Site Scripting (XSS) 6.4.9.4 / 6.4.9.6
Google Analytics Analyze remote code execution (RCE) 1.0
Google Analytics For WordPress Authenticated Stored Cross-Site Scr… 5.4.4 / 5.4.5
Google Authenticator Two Factor Authentication Bypass 0.47 / 0.48
Google Captcha Authentication Bypass 1.12 / 1.13
Google Document Embedder Cross-Site Scripting (XSS) 2.5.18 / 2.5.19
Google Language Translator Authenticated Cross-Site Scripting… 4.0.9 / 5.0.0
Google Map Wp Authenticated SQL Injection 2.2.5 / n/a
Google Maps Authenticated Reflected Cross-Site Scripting (XSS) 2.1.3 / 2.1.4
Google Maps By Daniel Martyn remote code exection (RCE) 1.0
Google Mp3 Audio Player arbitrary file viewing 1.0.9 / 1.0.11
Google Seo Author Snippets Reflected Cross-Site Scripting (XSS) 1.2.6 / 1.2.7
Googmonify CSRF & XSS 0.5.1 / n/a
Gotmls XSS & CSRF 4.15.42 / 4.15.43
Grapefile Arbitrary File Upload 1.1 / n/a
Gravity File Ajax Upload Free Arbitrary File Upload 1.1 / n/a
Gravityforms Authenticated Blind Cross-Site Scripting (XSS) 2.0.6.5 / 2.0.7
Groupdocs Comparison Multiple Parameter XSS 1.0.2 / 1.0.3
Gtranslate Unauthenticated Open Redirect 2.8.10 / 2.8.11
Gwolle Gb Cross-Site Request Forgery (CSRF) 2.1.0 / 2.1.1
Haiku Minimalist Audio Player jPlayer.swf XSS 1.1.0
Hb Audio Gallery Lite arbitrary file viewing 1.0.0
Hdw Tube Unauthenticated Reflected Cross-Sit… 1.2 / n/a
Hero Maps Pro Unauthenticated Reflected Cross-Site Scripting … 2.1.0 / n/a
Hide_my_wp Stored-Cross Site Scripting (XSS) 4.53 / 4.54
History Collection Arbitraty File Download 1.1.1 / n/a
Html5avmanager arbitrary file upload 0.1.0 / 0.2.7
I Dump Iphone To WordPress Photo Uploader File Upload 1.8 / n/a
Ibs Mappro Directory Traversal 0.6 / 1.0
Icegram Cross-Site Request Forgery (CSRF) 1.9.18 / 1.9.19
Iframe Authenticated Stored Cross-Site Scripting (XSS) 3.0 / 4.0
Iframe Admin Pages Cross Site Scripting 0.1 / n/a
Image Export Directory Traversal 1.1.0 / n/a
Image Gallery With Slideshow Arbitrary File Upload / SQL Injection 1.5 / n/a
Image Slider Widget Authenticated Arbitrary File Deletion 1.1.89 / 1.1.90
Imdb Widget Local File Inclusion (LFI) 1.0.8 / 1.0.9
Import Woocommerce Reflected Cross-Site Scripting (XSS) 1.0.1 / 1.1
Inazo Advanced Ads Management Authenticated Stored Cross-Site Scripti… 1.3 / 1.4
Inboundio Marketing Shell Upload 2.0.3 / n/a
Incoming Links referrers.php XSS 0.9.9b / 0.9.10b
Indexisto Unauthenticated Reflected Cro… 1.0.5 / n/a
Indieweb Post Kinds DOM Cross-Site Scripting (XSS) 1.3.1 / 1.3.1.1
Infusionsoft Unauthenticated Reflected … 1.5.11 / 1.5.12
Inpost Gallery local file inclusion (LFI) 2.0.9 / 2.1.2
Insert Html Snippet Cross-Site Request Forgery (CSRF) 1.2 / 1.2.1
Instagram Feed Authenticated Cross-Site Scripting (XSS) & … 1.4.6.2 / 1.4.7
Instalinker Reflected Cross-Site Scripting (XSS) 1.1.1 / 1.1.2
Invit0r arbitrary file upload 0.2 / 0.22
Ip Blacklist Cloud Arbitrary File Disclosure 3.42 / 3.43
Ip Logger SQL Injection 3.0 / n/a
Iq Block Country Authenticated Reflected Cross-Site Scriptin… 1.1.19 / 1.1.20
Is Human Remote Comm& Execution 1.4.2 / n/a
Itwitter XSS & CSRF 0.04 / n/a
Iwp Client Unauthenticated PHP Object Injection 1.6.0 / 1.6.1.1
Jammer jPlayer.swf XSS 0.2 / n/a
Jaspreetchahals Coupons Lite XSS in ZeroClipboard 2.1 / n/a
Java Trackback XSS in ZeroClipboard 0.2 / n/a
Jetpack Multiple Vulnerabilities 4.0.3 / 4.0.4
Jm Twitter Cards Full Path Disclosure (FPD) 6.1 / 6.2
Job Manager Authenticated Reflected Cross-Site Scripting (XSS) 0.7.24 / 0.7.25
Joliprint Cross Site Scripting 1.3.0 / n/a
Js Appointment SQL Injection 1.5 / n/a
Js_composer Multiple Unspecified Cross-Site Scripting (XSS) 4.7.3 / 4.7.4
Json Rest Api Cross-Site Scripting (XSS) 1.2.2 / 1.2.3
Jssor Slider arbitrary file upload 1.0 / 1.3
Jw Player Plugin For WordPress Authenticated Cross-Site Sc… 2.1.14 / n/a
Kento Post View Counter CSRF & multiple XSS 2.8 / n/a
Kiwi Logo Carousel Authenticated Cross-Site Scripting (XSS) 1.7.1 / 1.7.2
Knr Author List Widget SQL Injection 2.0.0 / n/a
Landing Pages Reflected Cross-Site Scripting (XSS) 2.2.4 / 2.2.5
Lazy Load Cross-Site Scripting (XSS) 0.6 / 0.6.1
Lazyest Gallery EXIF Script Insertion 1.1.20 / 1.1.21
Leaflet Cross Site Scripting 0.0.1 / n/a
Leaguemanager Unauthenticated SQL Injection 3.9.11 / n/a
Leenkme XSS & CSRF 2.5.0 / 2.6.0
Lightbox Cross-Site Scripting (XSS) 1.6.7 / 1.6.8
Like Dislike Counter For Posts Pages And Comments SQL injection 1.0 / 1.2.3
Link Library Authenticated Reflected Cross-Site Scripting… 5.9.12.29 / 5.9.12.30
Liveforms Unauthenticated Stored Cross-Site Scripting (XSS) 1.2.0 / 1.3.0
Mac Dock Gallery arbitrary file upload 1.0 / 2.7
Magic Fields Authenticated Cross-Site Scripting (XSS) 1.7.1 / 1.7.2
Magn Html5 Drag And Drop Media Uploader Upload Shell Upload 1.1.4 / n/a
Mailchimp For Wp Authenticated Cross-Site Scripting (… 4.0.10 / 4.0.11
Mailchimp Integration remote code execution (RCE) 1.0.1 / 1.1
Mailchimp Subscribe Sm Email Field Remote PHP Code Execution 1.1 / 1.2
Mailcwp Unauthenticated Arbitrary File Upload 1.99 / 1.110
Mailpress local file inclusion (LFI) 5.2 / 5.4.6
Mainwp Unauthenticated Stored Cross-Site Scripting (XSS) 3.1.2 / 3.1.3
Mainwp Child Unspecified 2.0.22 / 2.0.23
Manual Image Crop Authenticated Reflected Cross-Site Scripting… 1.10 / 1.11
Markdown On Save Improved Stored Cross-Site Scripting (XSS) 2.5 / 2.5.1
Mashsharer Information Disclosure 2.3.0 / 2.3.1
Master Slider Reflected Cross-Site Scripting (XSS) 2.7.1 / 2.8.0
Mdc Private Message Authenticated Stored Cross-Site Scripting… 1.0.0 / 1.0.1
Mdc Youtube Downloader Local File Inclusion 2.1.0 / 2.1.1
Media File Manager Advanced Multiple Vulnerabilites 1.1.5 / n/a
Media File Renamer Stored Cross-Site Scripting (XSS) 1.7.0 / 2.2.2
Media Library Categories SQL Injection 1.0.6 / n/a
Membersonic Lite Authentication Bypass 1.2 / 1.302
Memphis Documents Library Arbitrary File Download 3.1.5 / 3.1.6
Menu Image malicious JavaScript loading 2.6.5 / 2.6.9
Microblog Poster Authenticated Blind SQL Injection 1.6.0 / 1.6.2
Mingle Forum Cross Site Scripting / SQL Injection 1.0.32.1 / n/a
Ml Slider Cross-Site Scripting (XSS) 2.5 / 2.6
Mm Duplicate SQL Injection 1.2 / n/a
Mm Forms Community SQL Injection 1.2.3 / n/a
Mobile Domain CSRF/XSS 1.5.2 / n/a
Mobileview XSS in ZeroClipboard 1.0.7 / n/a
Monetize Cross-Site Scripting (XSS) & CSRF 1.03 / n/a
Moodthingy Mood Rating Widget Multiple SQL Injection 0.9.1 / 0.9.2
Mp3 Jplayer Full Path Disclosure 2.3.3 / n/a
Mtouch Quiz Multiple Vulnerabilities XSS & CSRF 3.1.2 / 3.1.3
Multi Plugin Installer Unauthenticated File Traversal 1.1.0 / 1.2.0
Multicons Authenticated Stored Cross-Site Scripting (XSS) 2.1 / 3.0
Multisite Post Duplicator Cross-Site Request Forgery (CSRF) 0.9.5.1 / 1.1.3
Music Store Cross-Site Scripting (XSS) 1.0.41 / 1.0.43
My Calendar Arbitrary File Override & Reflected XSS 2.3.29 / 2.3.30
My Category Order Authenticated Cross-Site Scripting (XSS) 4.3 / n/a
My Link Order Authenticated Cross-Site Scripting (XSS) 4.3 / n/a
My Page Order Authenticated Cross-Site Scripting (XSS) 4.3 / n/a
Myflash (wppath) RFI 1.00 / n/a
Mygallery Remote File Inclusion 1.4b4 / n/a
Mypixs Unauthenticated Local File Inclusion (LFI) 0.3 / n/a
Mystat SQL Injection 2.6 / n/a
Mz Jajak index.php id Parameter SQL Injection 2.1 / n/a
Nelio Ab Testing Server Side Request Forgery (SSRF) 4.5.8 / 4.5.9
Network Publisher Cross Site Scripting 5.0.1 / n/a
Neuvoo Jobroll Unauthenticated Reflected Cross-Site Scripting (… 2.0 / n/a
New Year Firework Unauthenticated Reflected Cross-Site Script… 1.1.9 / n/a
Newsletter SQL Injection 3.0.8 / 3.0.9
Newsletter Manager Cross Site Scripting 1.0.2
Newstatpress Stored Cross-Site Scripting (XSS) 1.2.4 / 1.2.5
Nex Forms Express Wp Form Builder Unauthenticated Blind SQL Injection 4.0 / 4.6.1
Nextend Facebook Connect Cross-Site Request Forgery (CSRF) 1.5.7 / 1.5.8
Nextend Twitter Connect Reflected Cross-Site Scripting (XSS) 1.5.1 / 1.5.2
Nextgen Gallery Unauthenticated SQL Injection 2.1.77 / 2.1.79
Ninja Forms Authenticated SQL Injection 2.9.55.1 / 2.9.55.2
Nmedia User File Uploader Arbitrary File Upload 3.9 / 4.0
Nofollow Links Cross-Site Scripting (XSS) 1.0.10 / 1.0.11
Nokia Mapsplaces Reflected Cross-Site Scripting (XSS) 1.6.6 / 1.6.7
Oauth2 Provider Insecure Pseudor&om Number Generation 3.1.4 / 3.1.5
Odihost Newsletter Plugin SQL Injection 1.0 / n/a
Olevmedia Shortcodes Authenticated Reflected Cross-Site Scrip… 1.1.8 / 1.1.9
Olimometer Unauthenticated SQL Injection 2.56 / 2.57
Onelogin Saml Sso Signature Wrapping 2.4.2 / 2.4.3
Optinmonster Execution of Arbitrary Shortcodes 1.1.4.5 / 1.1.4.6
Option Seo remote code execution (RCE) 1.5
Oqey Gallery SQL Injection 0.4.8 / n/a
Oqey Headers SQL Injection 0.3 / n/a
Orbisius Child Theme Creator Arbitrary File Write 1.2.6 / 1.2.8
P3 Profiler Cross-Site Scripting (XSS) 1.5.3.8 / 1.5.3.9
Page Flip Image Gallery Remote FD Vuln 0.2.2 / n/a
Page Google Maps remote code execution (RCE) 1.4
Page Layout Builder Unauthenticated Reflected Cross-Site Scripting (XSS) 2.0.2 / n/a
Pagerestrict Authenticated Stored Cross-Site Scripting (XSS) 2.2.1 / 2.2.2
Paid Downloads SQL Injection 2.01 / n/a
Parsi Font Unauthenticated Reflected Cross-Site Scriptin… 4.2.5 / 4.3
Party Hall Booking Management System SQL injection 1.0 / 1.1
Pay With Tweet Multiple Vulnerabilities 1.1 / n/a
Payment Form For Paypal Pro Multiple Reflected Cross-Site Scr… 1.0.1 / 1.0.2
Paypal Currency Converter Basic For Woocommerce File Read 1.3 / 1.4
Paypal Digital Goods Monetization Powered By Cleeng XSS in Z… 2.2.13 / n/a
Pdf Print Cross Site Scripting 1.7.4 / 1.7.5
Peepso Core Authenticated Privilege Escalation 1.6.0 / 1.6.1
Persian Woocommerce Sms Reflected Cross-Site Scripting (XSS) 3.3.3 / 3.3.4
Peters Login Redirect Cross-Site Scripting (XSS) & CSRF 2.9.0 / 2.9.1
Photo Gallery Cross-Site Scripting (XSS) 1.2.11 / 1.2.13
Photoracer SQL Injection 1.0 / n/a
Php Analytics arbitrary file upload n/a
Php Event Calendar Arbitrary File Upload 1.5 / 1.5.1
Php_speedy_wp (admin_container.php) Remote Code Exec Exploit 0.5.2 / n/a
Pica Photo Gallery arbitrary file viewing 1.0
Pictpress Remote File Disclosure 0.91 / n/a
Pie Register Authenticated Blind SQL Injection 2.0.18 / 2.0.19
Pitchprint arbitrary file upload 7.1 / 7.1.1
Pixabay Images Multiple Vulnerabilities (RCE, XSS, …) 2.3 / 2.4
Placester XSS in ZeroClipboard 0.3.12 / n/a
Player Multiple Authenticated Blind SQL Inje… 1.5.16 / 1.5.18
Plugin Central Authenticated Reflected Cross-Site Scripting (XSS) 2.5 / 2.5.1
Plugin Newsletter arbitrary file viewing 1.3 / 1.5
Plugmatter Optin Feature Box Lite Unauthenticated Blind SQL Injec… 2.0.13 / 2.0.14
Plugnedit Authenticated Stored Cross-Site Scr… 5.2.0 / 6.2.0
Pluscaptcha Cross-Site Request Forgery (CSRF) 2.0.14 / 2.1.0
Podlove Podcasting Plugin For WordPress Multiple SQLi & XSS 2.3.15 / 2.3.16
Pods Blind SQL Injection 2.5.1.1 / 2.5.1.2
Polldaddy Shortcode Stored Cross-Site Script… 2.0.31 / 2.0.32
Pondol Formmail Unauthenticated Reflected Cross-Site Script… 1.1 / n/a
Portfolio Gallery Reflected Cross-Site Scripting (XSS) 2.1.10 / 2.1.11
Post Duplicator Cross-Site Scripting (XSS) 2.16 / 2.17
Post Expirator Cross-Site Request Forgery 2.1.1 / 2.1.2
Post Grid Unauthenticated Arbitrary File Deletion 2.0.12 / 2.0.13
Post Highlights SQL Injection 2.2 / n/a
Post Indexer Authenticated SQL Injection 3.0.6.1 / 3.0.6.2
Postmatic Cross-Site Scripting (XSS) 1.4.5 / 1.4.6
Posts In Page authenticated local file inclusion (LFI) 1.0.0 / 1.2.4
Powerpress Authenticated Cross-Site… 6.0.4 / 6.0.5
Pretty Link Authenticated SQL Injection 1.6.7 / 1.6.8
Prettyphoto DOM Cross-Site Scripting (XSS) 1.1 / 1.2
Private Only CSRF & XSS 3.5.1 / n/a
Profile Builder Reflected Cross-Site Scripting (XSS) 2.4.1 / 2.4.2
Profiles SQL Injection 2.0RC1 / n/a
Ptengine Real Time Web Analytics And Heatmap Reflected Cross-Site Scripting (XSS) 1.0.1 / 1.0.2
Pure Html SQL Injection 1.0.0 / n/a
Pwgrandom CSRF & XSS 1.11 / n/a
Q2w3 Inc Manager XSS in ZeroClipboard 2.3.1 / n/a
Qtranslate Cross-Site Scripting (XSS) 2.5.39 / n/a
Qtranslate X Authenticated Reflected Cross-Site Scripting (XSS) 3.4.3 / 3.4.4
Quiz Master Next Stored Cross-Site Scripting (XSS) & CSRF 4.7.8
Quotes And Tips Cross Site Scripting 1.19 / 1.20
Quotes Collection Reflected Cross-Site Scripting (XSS) 2.0.5 / 2.0.6
Really Simple Guest Post File Include 1.0.6 / 1.0.7
Recent Backups Remote File Download 0.7 / n/a
Recent Posts Widget Extended Authenticated XSS (multisite) 0.9.9.3 / 0.9.9.4
Redirection Page CSRF/XSS 1.2 / n/a
Reflex Gallery Arbitrary File Upload 3.1.3 / 3.1.4
Register Plus Redux Cross Site Scripting 3.8.3 / n/a
Rejected Wp Keyword Link Rejected Authenticated Stored Cross-Site Scripting (XSS) 1.7 / n/a
Related Posts For Wp Cross-Site Scripting (XSS) 1.8.1 / 1.8.2
Relevanssi Cross-Site Scripting (XSS) 3.3.7.1 / 3.3.8
Relevanssi Premium SQL Injection & PHP Object Injection 1.14.4 / 1.14.6.1
Relevant Cross Site Scripting 1.0.7 / 1.0.8
Remote Upload Unrestricted File Upload 1.2.1 / 1.2.2
Resads Reflected Cross-Site Scripting (XSS) 1.0.1 / 1.0.2
Rest Api Unauthenticated Sensitive Informa… 13 / 13.1
Resume Submissions Job Postings Unrestricted File Upload 2.5.1 / 2.5.2
Return To Top remote code execution (RCE) 1.8 / 5.0
Revslider arbitrary file viewing 1.0 / 4.1.4
Rich Counter Cross-Site Scripting (XSS) 1.1.5 / 1.2.0
Robo Gallery Remote Code Execution 2.0.14 / 2.0.15
Role Scoper Unauthenticated Reflected Cross-Site Scripting (… 1.3.66 / 1.3.67
Royal Slider Authenticated Cross-Site Scripting (XSS) 3.2.6 / 3.2.7
S3 Video Unauthenticated Reflected Cross-Site Scriptin… 0.983 / n/a
S3bubble Amazon S3 Audio Streaming Arb… 2.0 / n/a
S3bubble Amazon S3 Html 5 Video With Adverts arbitrary file viewing 0.5 / 0.7
Sabre Cross Site Scripting 1.2.0 / 1.2.2
Safe Editor Unauthenticated CSS/JS-injection 1.1 / 1.2
Sam Pro Free Local File Inclusion (LFI) 1.9.6.67 / 1.9.7.69
Scorerender XSS in ZeroClipboard 0.3.4 / n/a
Scormcloud SQL Injection 1.0.6.6 / 1.0.7
Se Html5 Album Audio Player Local File Include 1.1.0 / n/a
Search And Share XSS in ZeroClipboard 0.9.3 / n/a
Search Autocomplete SQL Injection 1.0.8 / n/a
Searchterms Tagging 2 Authenticated SQL Injection 2 1.535 / n/a
Securemoz Security Audit MitM PHP Object Injection 1.0.5 / n/a
Sell Downloads arbitrary file viewing 1.0.1
Sendit Blind SQL Injection 1.5.9 / n/a
Sendpress Authenticated SQL Injection 1.1.7.21 / 1.2
Seo Image Cross-Site Scripting (XSS) 3.0.4 / 3.0.5
Seo Keyword Page remote code execution (RCE) 2.0.5
Seo Rank Reporter Authenticated Reflected Cross-Site Scriptin… 2.2.2 / n/a
Seo Redirection Authenticated Reflected Cross-Site Scrip… 2.8 / 2.9
Seo Spy Google WordPress Plugin arbitrary file upload 2.0 / 2.6
Seo Watcher arbitrary file upload 1.3.2 / 1.3.3
Sexy Contact Form arbitrary file upload 0.9.1 / 0.9.8
Sh Slideshow SQL Injection 3.1.4 / n/a
Share And Follow Cross Site Scripting 1.80.3 / n/a
Share Buttons Wp remote code execution (RCE) 1.0
Sharebar sharebar-admin.php page Parameter XSS 1.2.5 / n/a
Shariff Sharing Stored Cross-Site Scripting (XSS) 1.0.7 / 1.0.8
Shortcode Redirect Stored Cross Site Scripting 1.0.01 / n/a
Showbiz arbitrary file viewing 1.0 / 1.5.2
Si Contact Form Authenticated Cross-Site Scripting … 4.0.37 / 4.0.38
Simpel Reserveren Unauthenticated Reflected Cross-Site Scri… 3.5.2 / n/a
Simple Ads Manager SQL Injection 2.9.4.116 / 2.9.5.118
Simple Backup Arbitrary File Download 2.7.10 / 2.7.11
Simple Download Button Shortcode arbitrary file viewing 1.0
Simple Download Monitor Insufficient Authorisation 3.2.8 / 3.2.9
Simple Dropbox Upload Form arbitrary file upload 1.8.6 / 1.8.8
Simple Fields Authenticated Reflected Cross-Site Scripting (… 1.4.10 / 1.4.11
Simple Image Manipulator Remote File Download 1.0 / n/a
Simple Membership Cross-Site Scripting (XSS) 3.2.8 / 3.2.9
Simple Photo Gallery Stored Cross-Site Scripting (XSS) 1.8.0 / 1.8.1
Simple Security 2 x Cross-Site Scripting (XSS) 1.1.5 / 1.1.6
Simple Share Buttons Adder Reflected Cross-Site Scripting (XSS) 6.0.0 / 6.0.1
Simple Support Ticket System Unauthenticated SQL Injection 1.2 / 1.2.1
Simplr Registration Form privilege escalation 2.2.0 / 2.4.3
Sirv Authenticated SQL Injection 1.3.1 / 1.3.2
Site Import remote page inclusion 1.0.0 / 1.2.0
Sitepress Multilingual Cms Multiple Vulnerabilities (Including SQLi) 3.1.7.2 / 3.1.9
Slide Show Pro arbitrary file upload 2.0 / 2.4
Slidedeck2 XSS in ZeroClipboard 2.1.20130228 / n/a
Slider Image Authenticated Blind SQL Injection 2.8.6 / 2.8.7
Slideshow Gallery Arbitrary file upload & Cross-Sit… 1.5.3 / 1.5.3.4
Sliding Social Icons CSRF & Stored XSS 1.61 / n/a
Smart Manager For Wp E Commerce Unauthenticated SQL Inje… 3.9.6 / 3.9.7
Smart Slide Show arbitrary file upload 2.0 / 2.4
Smart Slider 2 Authenticated Reflected Cross-Site Scripting … 2.3.11 / 2.3.12
Smart Videos remote code execution (RCE) 1.0
Smooth Slider Authenticated SQL Injection 2.6.5 / 2.7
Snazzy Archives swf/tagcloud.swf tagcloud Parameter XSS 1.7.1 / 1.7.2
Social Locker Authenticated Reflected Cross-Site Scr… 4.2.0 / 4.2.5
Social Networking E Commerce 1 arbitrary file upload 0.0.32
Social Networks Auto Poster Facebook Twitter G Stored XSS 3.4.17 / 3.4.18
Social Share Button Authenticated Stored Cross-Site Scripting (… 2.1 / n/a
Social Sharing possible arbitrary file upload 1.0
Social Slider 2 social-slider-2/ajax.php rA Parameter SQL Injec… 5.6.5 / 6.0.0
Sola Support Tickets XSS & Configuration Change 3.12 / 3.13
Soundcloud Is Gold Unauthenticated Reflected Cross-Site Scrip… 2.3.1 / 2.3.2
Soundy Background Music Reflected Cross-Site Scripting (XSS) 3.1 / 3.2
Sourceafrica Unauthenticated Cross-Site Scripting (XSS) 0.1.3 / n/a
Sp Client Document Manager Multiple Vulnerabilities 2.5.9.5 / 2.6.0.0
Spamtask arbitrary file upload 1.3 / 1.3.6
Spicy Blogroll local file inclusion (LFI) 0.1 / 1.0.0
Spider Event Calendar SQL Injection 1.4.9 / 1.4.14
Spider Facebook Cross-Site Scripting (XSS) 1.0.10 / 1.0.11
Spotlightyour arbitrary file upload 1.0 / 4.5
Stageshow Open Redirect 5.0.8 / 5.0.9
Stats Counter PHP object injection 1.0 / 1.2.2.5
Stats Wp remote code execution 1.8
Stop User Enumeration Username Enumeration Bypasses 1.3.4 / 1.3.5
Store Locator Cross-Site Request Forgery 2.6.1 / 2.12
Store Locator Le Authenticated Cross-Site Sc… 4.5.10 / 4.5.11
Stream Unauthenticated Events Export 3.0.5 / 3.0.6
Stream Video Player Setting Manipulation CSRF 1.4.0 / n/a
Subscribe To Comments Authenticated Local File Inclusion 2.1.2 / 2.3
Subscribe To Comments Reloaded Authenticated Reflected Cross… 150611 / 150820
Subscribe2 Cross Site Scripting 8.0 / 8.1
Super Captcha SQL Injection 2.2.4 / n/a
Supportflow Stored Cross-Site Scripting (XSS) 0.6 / 0.7
Syndication Links DOM Cross-Site Scripting (XSS) 1.0.2 / 1.0.2.1
Syntaxhighlighter Unspecified Cross-Site Scripting (XSS) 3.1.9 / 3.1.10
Taxonomy Terms Order Authenticated Cross-Sit… 1.4.4 / 1.4.6.1
Tera Charts reflected cross-site scripting (XSS) 0.1 / 1.0
Testimonial Slider Authenticated Stored Cross-Site Scripting … 1.2.1 / n/a
Tevolution Unrestricted File Upload 2.2.7 / 2.3.0
Thanks You Counter Button Cross-Site Scripting (XSS) 1.8.2 / 1.8.3
The Events Calendar Open Redirect 4.1.1 / 4.1.1.1
The Holiday Calendar Cross-Site Scripting (XSS) 1.11.2 / 1.11.3
The Viddler WordPress Plugin cross-site request forgery (CSRF)/cross-site scripting (XSS) 1.2.3 / 2.0.0
Thecartpress Multiple Vulnerabilities 1.3.9 / n/a
Theme Test Drive Authenticated File Upload & XSS 2.9 / 2.9.1
Thethe Layout Grid XSS in ZeroClipboard. 1.0.0 / n/a
Thinkit Wp Contact Form wp-admin/admin.php Contact Form Deletion CSRF 0.3 / n/a
Tidio Form Unauthenticated Reflected Cross-Site … 1.0 / n/a
Tidio Gallery Unauthenticated Reflected Cross-Site Scripting (… 1.1 / n/a
Tiny Url XSS in ZeroClipboard 1.3.2 / n/a
Tinymce Advanced Setting Reset Cross-Site Request Forgery (CSRF) 4.1 / 4.2.3
Tinymce Thumbnail Gallery download-image.php Local File Inclu… 1.0.7 / 1.1.0
Top 10 Cross-Site Scripting (XSS) 2.3.0 / 2.3.1
Track That Stat Cross Site Scripting 1.0.8 / 1.1.0
Tune Library SQL Injection 1.5.4 / 1.5.5
Tweet Old Post Privilege Escalation 6.9.0 / 6.9.4
Tweet Wheel Reflected Cross-Site Scripting (XSS) 1.0.3.2 / 1.0.3.3
Types Cross-Site Scripting (XSS) 1.8.7.2 / 1.8.8
Ucan Post Stored XSS 1.0.09 / n/a
Uji Countdown Cross-Site Scripting (XSS) 2.0.6 / 2.0.7
Ultimate Member Unauthenticated Change Passwords 1.3.75 / 1.3.76
Ultimate Product Catalog Privilege Escalation 3.8.1 / 3.8.2
Ultimate Product Catalogue Unauthenticated Blind SQL Injection 3.9.8 / 3.9.9
Ultimate Profile Builder CSRF/XSS 2.3.3 / n/a
Ultimate Social Media Icons Authenticated Stored Cross-Site… 1.1.1.11 / 1.1.1.12
Unconfirmed unconfirmed.php s Parameter Reflected XSS 1.2.4 / 1.2.5
Ungallery Local File Disclosure 1.5.8 / 1.5.9
Uninstall WordPress Deletion via CSRF 1.1 / 1.2
Unite Gallery Lite CSRF & Authenticated SQL Injection 1.4.6 / 1.5
Universal Analytics Authenticated Cross-Site Scripting (XSS) 1.3.0 / 1.3.1
Unlimited Popups Cross-Site Scripting (XSS) 1.4.3 / 1.4.4
Updraft Cross-Site Scripting (XSS) 1.9.6.3 / 1.9.6.4
Updraftplus Privilege Escalation 1.9.50 / 1.9.51
Usc E Shop Session Management 1.8.2 / 1.8.3
User Meta Manager Information Disclosure 3.4.7 / 3.4.8
User Role Editor Privilege Escalation 4.24 / 4.25
User Submitted Posts Stored Cross-Site Scripting (XSS) 20151113 / 20160215
Users To Csv Cross-Site Request Forgery (CSRF) 1.4.5 / n/a
Users Ultra Authenticated Stored Cross-Sit… 1.5.62 / 1.5.63
Vaultpress Backend Server SSL Verification Disabled 1.8.6 / 1.8.7
Video Playlist And Gallery Plugin Authenticated Stored Cross-Site Scripting … 1.136 / 1.137
Videowhisper Live Streaming Integration Cross-Site Scripting… 4.25.3 / n/a
Videowhisper Video Presentation SQL Injection 1.1 / n/a
Visitor Maps Authenticated Stored Cross-Site… 1.5.8.6 / 1.5.8.7
Visual Form Builder SQL Injection & Reflected XSS 2.8.2 / 2.8.3
Vn Calendar Multiple Cross-Site Scripting (XSS) 1.0 / n/a
W3 Total Cache Information Disclosure Race Condition 0.9.4.1 / 0.9.5
Wangguard Authenticated Reflected Cross-Site Scripting (XSS) 1.7.2 / 1.7.3
Wassup Cross Site Scripting 1.9 / 1.9.1
Watupro Cross-Site Request Forgery (CSRF) 4.8.8.4 / 4.9.0.8
Web Tripwire arbitrary file upload 0.1.2
Websimon Tables Authenticated Reflected Cross-Site Scripting … 1.3.4 / n/a
Website Contact Form With File Upload Local File Inclusion 1.5 / 1.6
Weever Apps 20 Mobile Web Apps arbitrary file upload 3.0.25 / 3.1.6
White Label Cms Stored XSS 1.5.2 / 1.5.3
Whizz Unauthenticated Reflected Cross-Site Scripting (XSS) 1.0.7 / 1.0.8
Woo Custom Checkout Field CSRF & Stored XSS 1.3.4 / 1.3.5
Woo Email Control Reflected Cross-Site Scripting (XSS) & CSRF 1.01 / 1.02
Woocommerce Authenticated Tax-Rate CSV XSS 2.6.8 / 2.6.9
Woocommerce Abandoned Cart Authenticated Blind SQL Injection 1.8 / 1.9
Woocommerce Product Addon Arbitrary File Upload 1.1 / 2.0
Woocommerce Products Filter authenticated persistent cross-site scripting (XSS) 1.1.4 / 1.1.4.2
Woopra arbitrary file upload 1.4.1 / 1.4.3.1
Wordfence Cross-Site Scripting (XSS) 5.1.4 / 5.1.5
WordPress Donation Plugin With Goals And Paypal Ipn By Nonprofitcmsorg SQL Injection 1.0 / n/a
WordPress File Monitor persistent cross-site scripting (XSS) 2.0 / 2.3.3
WordPress Flash Uploader Arbitrary Comm& Execution 3.1.2 / 3.1.3
WordPress Form Manager Authenticated Remote Comm& Execution (RCE) 1.7.2 / 1.7.3
WordPress Meta Robots Authenticated Blind SQL Injection 2.1 / n/a
WordPress Mobile Pack Information Disclosure 2.1.2 / 2.1.3
WordPress Seo Authenticated Stored Cross-Site Scripting (XSS) 3.4.0 / 3.4.1
WordPress Seo Premium Cross-Site Scripting (XSS) 2.0.1 / 2.1
WordPress Simple Paypal Shopping Cart Cross-Site Request Forgery (CSRF) 3.5 / 3.6
Wordtube (wpPATH) RFI 1.43 / n/a
Work The Flow File Upload Shell Upload 2.5.2 / 2.5.3
Wp Advance Comment Stored Cross-Site Scripting (XSS) 0.10 / 0.11
Wp Advanced Importer Reflected Cross-Site Scripting (XSS) 2.1.1 / 2.2
Wp All Import Multiple Vulnerabilities 3.2.4 / 3.2.5
Wp All Import Pro Multiple Vulnerabilities 4.1.1 / 4.1.2
Wp Appointment Schedule Booking System persistent cross-site scripting (XSS) 1.0
Wp Attachment Export Unauthenticated File Download 0.2.3 / 0.2.4
Wp Audio Gallery Playlist SQL Injection 0.12 / n/a
Wp Auto Affiliate Links Authenticated Blind SQL Injection 4.9.9.4 / 5.0
Wp Autoyoutube Blind SQL Injection 0.1 / n/a
Wp Backitup Backup File Disclosure 1.9.1 / 1.9.2
Wp Bannerize SQL Injection 2.8.6 / 2.8.7
Wp Business Intelligence SQL Injection 1.6.1 / 1.6.2
Wp Business Intelligence Lite SQL Injection 1.6.1 / 1.6.2
Wp Cerber Unauthenticated Stored XSS 2.0.1.6 / 2.7
Wp Championship Authenticated Blind SQL Injection 5.8 / 5.9
Wp Clone By Wp Academy XSS in ZeroClipboard 2.1.1 / n/a
Wp Construction Mode Cross-Site Scripting (XSS) 1.91 / 1.92
Wp Copyprotect CSRF & Stored Cross-Site Scripting (XSS) 3.0.0 / 3.1.0
Wp Cron Dashboard Reflected Cross-Site Scripting (XSS) 1.1.5 / 1.1.6
Wp Crontrol Authenticated Reflected Cross-Site Scripting (XSS) 1.2.3 / 1.3
Wp Cumulus Vulnerabilities 1.20 / n/a
Wp Custom Page arbitrary file viewing 0.5 / 0.5.0.1
Wp D3 Cross-Site Request Forgery (CSRF) 2.4 / 2.4.1
Wp Database Backup Cross-Site Request Forgery (CSRF) 4.3.5 / 4.3.6
Wp Dreamworkgallery arbitrary file upload 2.0 / 2.3
Wp Ds Faq ajax.php id Parameter SQL Injection 1.3.2 / n/a
Wp E Commerce SQL Injection in sessionid 3.11.3 / 3.11.4
Wp Easy Gallery Reflected Cross-Site Scripting (XSS) 4.1.4 / 4.1.5
Wp Easy Poll Afo Cross-Site Scripting (XSS) & CSRF 1.1.3 / 1.1.4
Wp Easy Slideshow Multiple Cross-Site Request Forgery (CSRF) 1.0.3 / n/a
Wp Easybooking reflected cross-site scripting (XSS) 1.0.0 / 1.0.3
Wp Easycart Unrestricted File Upload 3.0.15 / 3.0.16
Wp Ecommerce Shop Styling Local File Inclusion 2.5 / 2.6
Wp Editor Multiple Cross-Site Scripting (XSS) 1.2.6.2 / 1.2.6.3
Wp Email SQL Injection 2.67.1 / 2.67.2
Wp External Links Multiple Cross-Site Scripting (XSS) 1.80 / 1.81
Wp Facethumb Reflected Cross Site Scripting 0.1 / n/a
Wp Fast Cache CSRF & Cross-Site Scripting (XSS) 1.4 / 1.5
Wp Fastest Cache Local File Inclusion (LFI) 0.8.5.9
Wp Favorite Posts Cross-Site Scripting (XSS) 1.6.5 / 1.6.6
Wp Fb Autoconnect XSS/CSRF 4.0.5 / 4.0.6
Wp File Upload Insufficient File Extension Blacklisting 3.8.5 / 3.9.0
Wp Filebase wpfb-ajax.php base Parameter SQL… 0.2.9 / n/a
Wp Filemanager File Download 1.3.0 / 1.4.0
Wp Flash Player Multiple Cross-Site Scripting (XSS) 1.3 / n/a
Wp Flipslideshow persistent cross-site scripting (XSS) 2.0 / 2.2
Wp Front End Profile Privilege Escalation & Stored Cross-Site… 0.2.1 / 0.2.2
Wp Front End Repository Arbitrary File Upload 1.1 / n/a
Wp Google Fonts Authenticated Reflected Cross-Site Scripting … 3.1.3 / 3.1.4
Wp Google Map Plugin Authenticated Cross-Site Scripting (XSS) 2.3.9 / 3.0.0
Wp Google Maps Authenticated Stored Cross-Site Scripting (XS… 6.3.14 / 6.3.15
Wp Handy Lightbox remote code execution (RCE) 1.4.5
Wp Homepage Slideshow arbitrary file upload 2.0 / 2.3
Wp Image News Slider arbitrary file upload 3.0 / 3.5
Wp Instance Rename Arbitrary File Download 1.0 / n/a
Wp Invoice Multiple Vulnerabilities 4.1.0 / 4.1.1
Wp Job Manager Unauthenticated Reflected Cross-Site Scriptin… 1.23.7 / 1.23.8
Wp Levoslideshow arbitrary file upload 2.0 / 2.3
Wp Limit Login Attempts Unauthenticated SQL Injection 2.0.0 / 2.0.1
Wp Limit Posts Automatically CSRF & XSS 0.7 / n/a
Wp Link To Us XSS in ZeroClipboard 2.0 / n/a
Wp Listings Unauthenticated Reflected Cross-Site Scripti… 2.0.1 / 2.0.2
Wp Live Chat Support Stored Cross-Site Scripting (XSS) 6.2.03 / 6.2.04
Wp Maintenance Mode Missing Settings Authorization 2.0.6 / 2.0.7
Wp Media Cleaner Cross-Site Scripting (XSS) 2.2.6 / n/a
Wp Membership Multiple Vulnerabilities 1.2.3 / n/a
Wp Menu Creator SQL Injection 1.1.7 / n/a
Wp Mobile Detector Arbitrary File Upload 3.5 / 3.6
Wp Mobile Edition Local File Inclusion (LFI) 2.2.7 / 2.3
Wp Mon arbitrary file viewing 0.5 / 0.5.1
Wp Noexternallinks Cross-Site Scripting (XSS) 3.5.15 / 3.5.16
Wp Online Store arbitrary file viewing 1.2.5 / 1.3.1
Wp Page Widget Authenticated Reflected Cross-Site Scripting (XSS) 2.7 / 2.8
Wp Photo Album Plus Stored Cross-Site Scripting (XSS) 6.1.2 / 6.1.3
Wp Piwik Unauthenticated Stored Cross-Site Scripting (XSS) 1.0.10
Wp Plotly Authenticated Stored Cross-Site Scripting (XSS) 1.0.2 / 1.0.3
Wp Polls Authenticated Reflected Cross-Site Scripting (XSS) 2.73 / 2.73.1
Wp Popup remote code execution (RCE) 2.0.0 / 2.1
Wp Post Frontend arbitrary file upload 1.0
Wp Print Friendly Security Bypass 0.5.2 / 0.5.3
Wp Property Non-administrative User XMLI Remote Informatio… 1.38.3.2 / 1.38.4
Wp Quick Booking Manager persistent cross-site scripting (XSS) 1.0 / 1.1
Wp Recaptcha Reflected XSS 3.1.3 / 3.1.4
Wp Rollback Cross-Site Scripting (XSS) & CSRF 1.2.2 / 1.2.3
Wp Royal Gallery persistent cross-site scripting (XSS) 2.0 / 2.3
Wp Rss Multi Importer Blind SQL Injection & Cross-Site Scripti… 3.15 / n/a
Wp Seo Spy Google arbitrary file upload 3.0 / 3.1
Wp Shop Original Unauthenticated Blind SQL Injection 3.4.3.15 / 3.4.3.16
Wp Shopping Cart Arbitrary File Upload Exploit 3.4 / n/a
Wp Simple Cart arbitrary file upload 0.9.0 / 1.0.15
Wp Slimstat Referer Header Cross-Site Scripting (XSS) 4.1.5.2 / 4.1.6
Wp Slimstat Ex arbitrary file upload 2.1 / 2.1.2
Wp Smiley CSRF & Cross-Site Scripting (XSS) 1.4.1 / n/a
Wp Social Bookmarking Light Authenticated Stored Cross-Site S… 1.7.9 / 1.7.10
Wp Social Invitations test.php Multiple Parameter Reflected XSS 1.4.4.2 / 1.4.4.3
Wp Statistics Referer Cross-Site Scripting (XSS) 9.5.1 / 9.5.2
Wp Stats CSRF & Stored Cross-Site Scripting (XSS) 2.51 / 2.52
Wp Stats Dashboard Authenticated Blind SQL Injection 2.9.4 / n/a
Wp Super Cache PHP Object Injection 1.4.4 / 1.4.5
Wp Superb Slideshow arbitrary file upload 2.0 / 2.4
Wp Survey And Poll Blind SQL Injection 1.1.7 / 1.1.91
Wp Survey And Quiz Tool Cross Site Scripting 2.9.2 / 2.9.3
Wp Swimteam Local File Inclusion v1.44.10777 / 1.45
Wp Symposium Unauthenticated Reflected Cross-Site Scripting … 15.8.1 / n/a
Wp Symposium Pro Unspecified 15.12 / 16.01
Wp Table (inc_dir) RFI 1.43 / n/a
Wp Table Reloaded zeroclipboard.swf id Parameter XSS 1.9.3 / 1.9.4
Wp Timed Popup CSRF & Stored XSS 1.3 / n/a
Wp Topbar XSS in ZeroClipboard.swf 3.04 / n/a
Wp Ultimate Csv Importer Reflected Cross-Site Scripting (XSS) 3.8.6 / 3.8.8
Wp Ultimate Exporter Unauthenticated SQL Injection 1.1 / n/a
Wp User Frontend Unrestricted File Upload 2.3.10 / 2.3.11
Wp Useronline Stored Cross-Site Scripting (XSS) 2.62 / 2.70
Wp Vertical Gallery arbitrary file upload 2.0 / 2.3
Wp Whois Cross Site Scripting 1.4.2 / n/a
Wp Yasslideshow arbitrary file upload 3.0 / 3.4
Wp125 Multiple XSS 1.4.4 / 1.4.5
Wp_rokbox thumb.php src Parameter Malformed Input Path Disclosure 2.13 / n/a
Wp_rokintroscroller XSS,DoS,Disclosure,Upload Vulnerabilities 1.8 / n/a
Wp_rokmicronews XSS,DoS,Disclosure,Upload Vulnerabilities 1.5 / n/a
Wp_roknewspager XSS,DoS,Disclosure,Upload Vulnerabilities 1.17 / n/a
Wp_rokstories XSS,DoS,Disclosure,Upload Vulnerabilities 1.25 / n/a
Wpbook Cross-Site Request Forgery (CSRF) 3.7 / 3.7.1
Wpdatatables SQL Injection 1.5.3 / 1.5.4
Wpdiscuz Reflected Cross-Site Scripting (XSS) 3.1.4 / 3.2.0
Wpeasystats local file inclusion (LFI) 1.8
Wpgform Cross-Site Scripting (XSS) 0.84 / 0.85
Wplegalpages Authenticated Stored Cross-Site Scripting (XSS) 1.0.1 / 1.1
Wpmarketplace Arbitrary File Download 2.4.0 / 2.4.1
Wppygments XSS in ZeroClipboard 0.3.2 / n/a
Wpshop arbitrary file upload 1.3.1.6 / 1.3.9.5
Wpsolr Search Engine Unauthenticated Reflected Cross-Site Scripting (XSS) 8.6 / 8.7
Wpss SQL Injection 0.6 / n/a
Wpstorecart arbitrary file upload 2.0.0 / 2.5.29
Wptf Image Gallery arbitrary file viewing 1.0.1 / 1.0.3
Wptouch Cross-Site Scripting (XSS) 3.7.5.3 / 3.7.6
Wr Contactform Authenticated SQL Injection 1.1.9 / 1.1.10
Wsecure Remote Code Execution (RCE) 2.3 / 2.4
Wti Like Post Unauthenticated Blind SQL Injection 1.4.2 / 1.4.3
Wysija Newsletters SQL Injection 2.7.2 / 2.7.3
X Forms Express Stored Cross-Site Scripting (XSS) 2.1.0 / n/a
Xcloner Backup And Restore Multiple Vulnerabilities (RCE & LFI) 3.1.1 / 3.1.2
Xdata Toolkit arbitrary file upload 1.6 / 1.9
Xerte Online File Upload 0.35 / 0.36
Xpinner Lite Cross-Site Scripting (XSS) & CSRF 2.2 / n/a
Yawpp Unauthenticated Stored Cross-Site Scripting (XSS) 1.2.2 / n/a
Yet Another Stars Rating Authenticated Blind SQL Injection 0.9.0 / 0.9.1
Yikes Inc Easy Mailchimp Extender Local File Inclusion (LFI) 6.0.5.5 / 6.1
Yith Maintenance Mode Authenticated Reflected Cross-Site Scri… 1.1.4 / 1.2.0
Yith Woocommerce Compare Unauthenticated PHP Object injection 2.0.9 / 2.1.0
Yolink Search includes/bulkcrawl.php Multiple Parameter SQL I… 1.1.4 / n/a
Yop Poll Reflected Cross-Site Scripting (XSS) 5.7.3 / 5.7.4
Yousaytoo Auto Publishing Plugin Cross Site Scripting 1.0 / n/a
Youtube Embed Authenticated Stored Cross-Site Scripting (XSS) 3.3.2 / 3.3.3
Zedity Cross-Site Scripting (XSS) 2.5.0 / 2.5.1
Zen Mobile App Native Remote File Upload 3.0 / n/a
Zero Spam Unauthenticated Blind SQL Injection 2.1.1 / 2.2.0
Zingiri Web Shop zing.inc.php page Parameter XSS 2.4.0 / 2.4.2
Zip Attachments Arbitrary File Download 1.1.4 / 1.5
Zopim Live Chat XSS in ZeroClipboard 1.2.5 / 1.2.6
Zotpress SQL Injection 4.4 / n/a

 

Have your WordPress site been hacked?

Don't despair; it happens to the best of us. It's tough to give generic advice without having a look at your site, but if you can still login into your WP admin, we suggest installing the free Security Ninja plugin. It'll perform +40 tests on your site, and with the Core add-on, you can validate the integrity of your core files by comparing them to the secure, master copies stored on WordPress.org. It's an invaluable tool for any WordPress site!

 

Sources

The list of latest dangerous and vulnerable WordPress plugins is compiled from various sources including: