With over 47 thousand plugins in the official WordPress repository and thousands more available on various other marketplaces and sites, finding those that work well is a daunting task. Finding WordPress plugins that are secure and won't endanger your site is an even harder task due to the complex nature of WordPress security and often massive plugins with thousands of lines of code.
Click to tweetAlthough we can't help you avoid every single bad plugin, we can pinpoint those who have known, confirmed vulnerabilities and security issues. Unless you know what you're doing, you're testing something on a local installation, or you're into WordPress security, you should not use the dangerous plugins listed below on production sites. Problems explained in the table below are well known and documented, making it easy for anyone with bad intentions to exploit those security holes and attack your site.
By listing plugins on this page, we mean no disrespect to them or their authors! We only want to warn users not to install specific versions that have known security issues. If you feel your plugin has been listed by fault or need help updating it, please contact us.
How to use this page and the list of vulnerable plugins?
If you're using any of the listed plugins, double-check the version number and confirm that it's the one with known problems. If so – remove the plugin immediately! This includes deactivating it and deleting. Not just deactivating. You can also contact the author and ask him if the problems have been fixed and if not urge him to do so.
Vulnerability types
A quick reminder of the most common security holes and issues WordPress plugins face. Please note that most problems are a combination of two or more types listed below.
Arbitrary file viewing
Instead of allowing only certain file source to be viewed (for example plugin templates) the lack of checks in the code allows the attacker to view the source of any file, including those with sensitive information such as wp-config.php
Arbitrary file upload
Lack of file type and content filtering allows for upload of arbitrary files that can contain executable code which, once run, can do pretty much anything on a site
Privilege escalation
Once the attacker has an account on the site, even if it's only of the subscriber type, he can escalate his privileges to a higher level, including administrative ones.
SQL injection
By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.
Remote code execution (RCE)
Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.
List of hacked, dangerous & vulnerable WordPress plugins
| Plugin Name | Vulnerability Type | Min / Max Versions Affected |
|---|---|---|
| 1 Flash Gallery | XSS in ZeroClipboard.swf | 1.9.0 / n/a |
| 2 Click Socialmedia Button | Cross Site Scripting | 0.34 / n/a |
| 360 Product Rotation | arbitrary file upload | 1.1.3 / 1.2.0 |
| 3bubble Amazon S3 Html 5 Video With Adverts | Arbitrary File Do… | 0.7 / n/a |
| 404 To 301 | Unauthenticated Stored Cross-Site Scripting (XSS) | 2.3.0 / 2.3.1 |
| Tevolution | arbitrary file upload | 2.0 / 2.2.9 |
| A To Z Category Listing | SQL Injection | 1.3 / n/a |
| Ab Google Map Travel | CSRF/Stored XSS | 3.4 / 4.0 |
| Accurate Form Data Real Time Form Validation | Cross-Site Scripting (XSS) & CSRF | 1.2 / n/a |
| Acf Frontend Display | Arbitrary File Upload | 2.0.5 / n/a |
| Acurax Social Media Widget | Authenticated Stored Cross-Site S… | 2.2 / 2.3 |
| Ad Buttons | CSRF & XSS | 2.3.1 / n/a |
| Ad Inserter | Authenticated Cross-Site Scripting (XSS) | 1.5.5 / 1.5.6 |
| Add From Server | Cross-Site Request Forgery (CSRF) | 3.3.1 / 3.3.2 |
| Add Link To Facebook | Authenticated Cross-Site Scripting (XSS) | 2.2.7 / 2.2.8 |
| Addblockblocker | arbitrary file upload | 0.0.1 |
| Addthis | Authenticated Cross-Site Scripting (… | 5.0.12 / 5.0.13 |
| Admin Font Editor | Unauthenticated Reflected Cross-Site Scriptin… | 1.8 / n/a |
| Admin Management Xtended | Privilege Escalation | 2.4.0 / 2.4.0.1 |
| Admin Pack By Site Caseiro | Authenticated Stored Cross-Site Scri… | 1.1 / n/a |
| Adplugg | Stored Cross-Site Scripting (XSS) | 1.1.33 / 1.1.34 |
| Adrotate | clicktracker.php track Parameter SQL Injection | 3.9.4 / 3.9.5 |
| Ads Widget | remote code execution (RCE) | 2.0 / n/a |
| Advanced Access Manager | Privilege Escalation | 3.2.1 / 3.2.2 |
| Advanced Ajax Page Loader | arbitrary file upload | 2.5.7 / 2.7.6 |
| Advanced Custom Fields | Remote File Inclusion | 3.5.1 / 3.5.2 |
| Advanced Custom Fields Table Field | Stored Cross-Site Script… | 1.1.12 / 1.1.13 |
| Advanced Dewplayer | dewplayer.php Direct Request Path Disclosure… | 1.2 / n/a |
| Advanced Text Widget | Cross Site Scripting | 2.0.0 / n/a |
| Advanced Video Embed Embed Videos Or Playlists | arbitrary file viewing | n/a / 1.0 |
| Advertizer | SQL Injection | 1.0 / n/a |
| Age Verification | Open Redirect | 0.4 / n/a |
| Ajax Load More | Local File Inclusion (LFI) | 2.11.1 / 2.11.2 |
| Ajax Random Post | Unauthenticated Reflected Cross-Site Scriptin… | 2.00 / n/a |
| Ajax Search Lite | Authenticated RCE | 3.1 / 3.11 |
| Ajax Search Pro | Cross-Site Request Forgery (CSRF) Add User | 3.5 / 4.0 |
| Ajax Store Locator | Remote SQL Injection | 1.2 / n/a |
| Ajaxgallery | SQL Injection | 3.0 / n/a |
| Albo Pretorio On Line | Multiple Vulnerabilities | 3.2 / 3.3 |
| All In One Seo Pack | Unauthenticated Stored Cross-Site Script… | 2.3.7 / 2.3.8 |
| All In One Wp Migration | Unauthenticated Database Export | 2.0.4 / 2.0.5 |
| All In One Wp Security And Firewall | Cross-Site Scripting (XSS) | 4.2.1 / 4.2.2 |
| Allow Php In Posts And Pages | SQL Injection | 2.0.0.RC2 / 2.1.0 |
| Allwebmenus WordPress Menu Plugin | Shell Upload | 1.1.9 / n/a |
| Alo Easymail | Cross-Site Request Forgery (CSRF) | 2.9.2 / 2.9.3 |
| Alpine Photo Tile For Instagram | Authenticated Cross-Site Scr… | 1.2.7.5 / 1.2.7.6 |
| Altos Connect | Unauthenticated Cross-Site Scripting (XSS) | 1.3.0 / n/a |
| Analytics Counter | Unauthenticated PHP Object I… | 3.4.0 / 3.5.0 |
| Another WordPress Classifieds Plugin | Unspecified Image Upload | 1.8.9.4 / 2.0 |
| Anti Plagiarism | Unauthenticated Reflected Cross-Site Scripting… | 3.60 / n/a |
| Appointment Booking Calendar | SQL Injection | 1.1.24 / 1.1.25 |
| Aryo Activity Log | Cross-Site Scripting (XSS) in 'page' | 2.3.2 / 2.3.3 |
| Aspose Cloud Ebook Generator | arbitrary file viewing | 1.0 |
| Aspose Doc Exporter | arbitrary file viewing | 1.0 |
| Aspose Importer Exporter | arbitrary file viewing | 1.0 |
| Aspose Pdf Exporter | arbitrary file viewing | 1.0 |
| Attachment Manager | arbitrary file upload | 1.0.0 / 2.1.1 |
| Auto Attachments | arbitrary file upload | 0.2.7 / 0.3 |
| Auto Thickbox Plus | Reflected Cross-Site Scripting (XSS) | 1.9 / n/a |
| Avenirsoft Directdownload | Cross-Site Scripting (XSS) & CSRF | 1.0 / n/a |
| Aviary Image Editor Add On For Gravity Forms | Unauthenticate… | 3.0beta / n/a |
| Awesome Filterable Portfolio | Authenticated Blind SQL Injection | 1.8.6 / 1.9 |
| Backup | Arbitrary File Upload | 1.0.2 / 1.0.3 |
| Backupwordpress | RFI | 0.4.2b / 0.4.3 |
| Bad Behavior | Cross-Site Scripting (XSS) | 2.2.4 / 2.2.5 |
| Banner Effect Header | Cross-Site Scripting (XSS) | 1.2.7 / 1.2.8 |
| Bbpress | Display Name & Avatar Potential Cross-Site Scripting … | 2.5.9 / 2.5.10 |
| Bbpress Like Button | SQL injection | 1.0 / 1.5 |
| Bepro Listings | arbitrary file upload | 2.0.54 / 2.2.0020 |
| Better Search | Reflective XSS | 1.3.4 / 1.3.5 |
| Better Wp Security | Unauthenticated Stored Cross-Site Scripting … | 5.6.1 / 5.6.2 |
| Bird Feeder | CSRF & XSS | 1.2.3 / n/a |
| Bj Lazy Load | Remote File Inclusion (Timthumb) | 0.7.5 / 1.0 |
| Blaze Slide Show For WordPress | arbitrary file upload | 2.0 / 2.7 |
| Booking | SQL Injection | 6.2 / 6.2.1 |
| Booking Calendar Contact Form | Multiple Authenticated Vulnerab… | 1.0.2 / 1.0.3 |
| Booking System | Authenticated Blind SQL Injection | 2.0 / 2.1 |
| Bookings | controlpanel.php error Parameter XSS | 1.8.2 / 1.8.3 |
| Bookmarkify | Cross-Site Scripting (XSS) & CSRF | 2.9.2 / n/a |
| Bp Code Snippets | XSS in ZeroClipboard | 2.0 / n/a |
| Bp Profile Search | PHP Object Injection | 4.5.3 / 4.6 |
| Braftonwordpressplugin | Reflected XSS | 3.4.7 / 3.4.8 |
| Brandfolder | File Inclusion | 3.0 / 3.0.1 |
| Breadcrumbs Ez | remote code execution (RCE) | n/a |
| Broken Link Checker | Unauthenticated Stored XSS | 1.10.8 / 1.10.9 |
| Broken Link Manager | Unauthenticated Stored Cross-Site Scripti… | 0.5.5 / 0.6.0 |
| Buckets | XSS in ZeroClipboard | 0.1.9.2 / n/a |
| Buddypress | Authenticated Privilege Escalation | 2.3.4 / 2.3.5 |
| Buddypress Activity Plus | Cross-Site Request Forgery (CSRF) | 1.5 / 1.6.2 |
| Bulk Delete | Privilege Escalation | 5.5.3 / 5.5.4 |
| Bulletproof Security | Multiple XSS Vulnerabilities | .53.3 / .53.4 |
| Calculated Fields Form | SQL Injection via CSRF | 1.0.10 / 1.0.12 |
| Caldera Forms | Cross Site Scripting | 1.3.5.3 / 1.4.2 |
| Calendar | Cross Site Scripting | 1.3.7 / 1.3.8 |
| Candidate Application Form | Arbitrary File Download | 1.0 / n/a |
| Captcha | Captcha Bypass | 4.0.6 / 4.0.7 |
| Car Rental System | SQL Injection | 3.0 / 3.1 |
| Cardoza Ajax Search | SQL Injection | 1.3 / 1.4 |
| Cardoza WordPress Poll | Multiple External Function Remote Poll… | 34.05 / 34.06 |
| Cart66 Lite | SQL Injection | 1.5.3 / 1.5.4 |
| Catablog | Cross Site Scripting | 1.6 / n/a |
| Category Grid View Gallery | arbitrary file upload | 0.1.0 / 0.1.1 |
| Cforms | Remote Code Execution via Unauthorised File … | 14.7 / n/a |
| Chained Quiz | Cross-Site Scripting (XSS) | 0.9.8 / 0.9.9 |
| Chat | Cross-Site Scripting (XSS) in 'message' Parameter | 1.0.8 / 1.0.8.1 |
| Check Email | Cross-Site Scripting (XSS) | 0.5 / 0.5.1 |
| Cherry Plugin | arbitrary file upload | 1.0 / 1.2.6 |
| Chikuncount | arbitrary file upload | 1.3 |
| Church Admin | Stored Cross-Site Scripting (XSS) | 0.800 / 0.810 |
| Cimy User Manager | Arbitrary File Disclosure | 1.4.2 / 1.4.4 |
| Cip4 Folder Download Widget | arbitrary file viewing | 1.4 / 1.10 |
| Citizen Space | Reflected Cross-Site Scripting (XSS) | 1.1 / n/a |
| Ckeditor For WordPress | Authenticated Reflected Cross-Site Scr… | 4.5.3 / 4.5.3.1 |
| Claptastic Clap Button | Authenticated Cross-Site Scripting (XSS) | 1.3 / n/a |
| Clean And Simple Contact Form By Meg Nicholas | Cross-Site Scripting (XSS) | 4.4.0 / 4.4.1 |
| Cleantalk Spam Protect | Unauthenticated Reflected Cross-Site Sc… | 5.21 / 5.22 |
| Cleeng | XSS in ZeroClipboard | 2.3.2 / n/a |
| Click To Copy Grab Box | XSS in ZeroClipboard | 0.1.1 / n/a |
| Clickbank Ads Clickbank Widget | CSRF/XSS | 1.7 / n/a |
| Clicky | Minor Security Improvements | 1.5 / 1.6 |
| Cloudflare | Cross-Site Scripting (XSS) | 1.3.20 / 1.3.21 |
| Cm Ad Changer | Stored Cross-Site Scripting (XSS) | 1.7.7 / 1.7.8 |
| Cm Download Manager | XSS & CSRF | 2.0.6 / 2.0.7 |
| Cms Commander Client | Unauthenticated PHP Object Injection | 2.21 / 2.22 |
| Code Snippets | Authenticated Reflected Cross-Site Scripting (XSS) | 2.6.1 / 2.7.0 |
| Codestyling Localization | Cross Site Scripting | 1.99.17 / 1.99.20 |
| Collision Testimonials | SQL Injection | 3.0 / n/a |
| Commentator | Reflected Cross-Site Scripting (XSS) | 2.5.2 / 2.5.3 |
| Community Events | SQL Injection | 1.3.5 / 1.4 |
| Connections | Reflected Cross-Site Scripting (XSS) | 8.5.8 / 8.5.9 |
| Contact Bank | Cross-Site Scripting (XSS) | 2.1.21 / 2.1.23 |
| Contact Form 7 | File Upload Remote Code Execution | 3.5.2 / 3.5.3 |
| Contact Form 7 To Database Extension | Cross-Site Request Forgery (CSRF) | 2.8.29 / 2.8.32 |
| Contact Form Builder | Authenticated Blind SQL Injection | 1.0.24 / 1.0.25 |
| Contact Form Generator | Multiple Cross-Site Request Forgery (C… | 2.0.1 / n/a |
| Contact Form Maker | Authenticated Blind SQL Injection | 1.7.30 / 1.7.31 |
| Contact Form Manager | Authenticated Reflected Cross-Site Scrip… | 1.4.1 / 1.4.2 |
| Contact Form Plugin | Stored Cross-Site Scripting (XSS) | 4.0.1 / 4.0.2 |
| Contact Form To Email | Authenticated Reflected Cross-Site Scr… | 1.1.47 / 1.1.48 |
| Contact Form WordPress | SQL Injection | 2.7.5 / n/a |
| Content Slide | CSRF & Stored XSS | 1.4.2 / n/a |
| Contus Hd Flv Player | SQL Injection | 1.3 / n/a |
| Contus Video Gallery | Unprotected Mail Page | 2.8 / n/a |
| Cookie Eu | remote code execution (RCE) | 1.0 |
| Cool Video Gallery | Authenticated Comm& Injection | 1.9 / 2.0 |
| Copy In Clipboard | XSS in ZeroClipboard | 0.8 / n/a |
| Copyright Licensing Tools | SQL Injection | 1.1.4 / n/a |
| Count Per Day | Authenticated Reflected Cross-Site Scripting (XSS) | 3.5.4 / 3.5.5 |
| Coupon Code Plugin | XSS in ZeroClipboard | 2.1 / n/a |
| Couponer | SQL Injection | 1.2 / n/a |
| Cp Contact Form With Paypal | Multiple Vulnerabilities | 1.1.5 / 1.1.6 |
| Cp Image Store | Purchase ID Brute Force Prevention | 1.0.6 / 1.0.7 |
| Cp Multi View Calendar | Unauthenticated SQL Injection | 1.1.7 / 1.1.8 |
| Cp Polls | Multiple XSS Vulnerabilities | 1.0.8 / 1.0.9 |
| Cp Reservation Calendar | Unauthenticated SQL Injection | 1.1.6 / 1.1.7 |
| Crawlrate Tracker | SQL Injection | 2.0.2 / n/a |
| Crayon Syntax Highlighter | Local File Disclosure | 2.6.10 / 2.7.0 |
| Crazy Bone | Unauthenticated Stored Cross-Site Scripting (XSS) | 0.5.5 / 0.6.0 |
| Crony | Cross-Site Scripting (XSS) & CSRF | 0.4.4 / 0.4.6 |
| Cross Rss | arbitrary file viewing | 0.5 |
| Crossslide Jquery Plugin For WordPress | Stored XSS & CSRF | 2.0.5 / n/a |
| Csv2wpec Coupon | Unauthenticated Remote File Upload | 1.1 / n/a |
| Cta | Reflected Cross-Site Scripting (XSS) | 2.4.3 / 2.5.1 |
| Custom Contact Forms | Cross Site Scripting | 5.0.0.1 / n/a |
| Custom Content Type Manager | Remote Code Execution | 0.9.8.5 / 0.9.8.6 |
| Custom Field Suite | Insufficient Authorisation | 2.4 / 2.4.1 |
| Custom Metas | Cross-Site Scripting (XSS) | 1.5.1 / n/a |
| Cysteme Finder | Unauthenticated LFI and Unauthenticated File Upload | 1.3 / 1.4 |
| Database Sync | Reflected Cross-Site Scripting (XSS) | 0.4 / 0.5 |
| Db Backup | Path Traversal File Access | 4.5 / n/a |
| Deans Fckeditor With Pwwangs Code Plugin For WordPress | Remote Shell Upload | 1.0.0 / n/a |
| Defa Online Image Protector | Unauthenticated Reflected Cross-Sit… | 3.3 / n/a |
| Delete All Comments | arbitrary file upload | 2.0 |
| Developer Tools | arbitrary file upload | 1.0.0 / 1.1.4 |
| Dewplayer Flash Mp3 Player | dewplayer.php Direct Request Path Disclosure Weakness | 1.2 / n/a |
| Directdownload | Unauthenticated LFI | 1.15 / n/a |
| Disclosure Policy Plugin | remote file inclusion (RFI) | 1.0 |
| Display Widgets | Authenticated Cross-Site Scripting (XSS) | 2.03 / 2.04 |
| Disqus Comment System | Cross-Site Scripting (XSS) & CSRF | 2.75 / 2.76 |
| Dop Slider | arbitrary file upload | 1.0 |
| Double Opt In For Download | Authenticated SQL Injection | 2.0.9 / 2.1.0 |
| Download Manager | Multiple Vulnerabilities | 2.8.7 / 2.8.8 |
| Download Monitor | Cross-Site Scripting (XSS) | 1.7.0 / 1.7.1 |
| Download Zip Attachments | Arbitrary File Download | 1.0 / n/a |
| Downloads Manager | arbitrary file upload | 1.0 Beta / 1.0 rc-1 |
| Dp Thumbnail | arbitrary file upload | 1.0 |
| Dropbox Backup | PHP object injection | 1.0 / 1.4.7.5 |
| Drp Coupon | XSS in ZeroClipboard | 2.1 / n/a |
| Dukapress | Unauthenticated Blind SQL Injection | 2.5.9 / 2.5.9.1 |
| Duplicator | Cross-Site Request Forgery (CSRF) | 1.1.3 / 1.1.4 |
| Dw Question Answer | Stored Cross-Site Scripting (XSS) | 1.4.2.2 / 1.4.2.3 |
| Dynamic Widgets | Authenticated Cross-Site Scripting (XSS) | 1.5.10 / 1.5.11 |
| Dzs Videogallery | Multiple Vulnerabilities | 8.60 / n/a |
| Dzs Zoomsounds | Remote File Upload | 2.0 / n/a |
| E Search | Unauthenticated Reflected Cross-Site Scripting (XSS) | 1.0 / n/a |
| Easing Slider | 2 x Cross-Site Scripting (XSS) | 2.2.0.6 / 2.2.0.7 |
| Easy Coming Soon | Authenticated Stored Cross-Site Scripting (XSS) | 1.8.1 / 1.8.2 |
| Easy Contact Form Lite | SQL Injection | 1.0.7 / n/a |
| Easy Digital Downloads | PHP Object Injection | 2.5.7 / 2.5.8 |
| Easy Media Gallery | Cross Site Scripting (XSS) | 1.3.47 / 1.3.50 |
| Easy Photo Album | Album Information Disclosure | 1.1.5 / 1.1.6 |
| Easy Pie Coming Soon | Authenticated Cross-Site Scripting (XSS) | 1.0.0 / 1.0.1 |
| Easy Social Icons | Authenticated SQL Injection | 1.2.3.1 / 1.2.4 |
| Easy Social Share Buttons For WordPress | Cross-Site Scripting (XSS) | 3.2.5 / 3.5 |
| Easy Table | Authenticated Cross-Site Scripting (XSS) | 1.5.2 / 1.5.3 |
| Easy Testimonials | Authenticated Stored Cross-Site Scripting … | 1.36.1 / 1.37 |
| Easy2map | Local File Inclusion | 1.2.9 / 1.3.0 |
| Easy2map Photos | SQL Injection | 1.0.9 / 1.1.0 |
| Ebook Download | arbitrary file viewing | 1.1 |
| Echosign | Reflected Cross-Site Scripting (XSS) | 1.1 / 1.2 |
| Ecstatic | arbitrary file upload | 0.90 (x9) / 0.9933 |
| Ecwid Shopping Cart | Unauthenticated PHP Object Inje… | 4.4.3 / 4.4.4 |
| Ed2k Link Selector | XSS in ZeroClipboard | 1.1.7 / n/a |
| Elisqlreports | Authenticated Arbitrary Code Execution | 4.11.33 / 4.11.37 |
| Email Encoder Bundle | Unauthenticated Cross-Site Scripting (XSS) | 1.4.1 / 1.4.2 |
| Email Newsletter | Authenticated Cross-Site Scripting (XSS) | 20.13.6 / n/a |
| Email Subscribers | Multiple XSS & SQLi | 2.9 / 2.9.1 |
| Email Users | Cross-Site Request Forgery (CSRF) | 4.8.3 / 4.8.4 |
| Embed Articles | CSRF & Stored XSS | 7.0.3 / n/a |
| Enable Google Analytics | remote code execution (RCE) | n/a |
| Enable Media Replace | Multiple Vulnerabilities | 2.3 / 2.4 |
| Encrypted Contact Form | CSRF & XSS | 1.0.4 / 1.1 |
| Enhanced Tooltipglossary | XSS | 3.3.4 / 3.3.5 |
| Erident Custom Login And Dashboard | Unspecified CSRF | 3.4.1 / 3.5 |
| Eshop | Remote Code Execution | 6.3.11 / 6.3.12 |
| Estatik | arbitrary file upload | 1.0.0 / 2.2.5 |
| Evarisk | SQL Injection | 5.1.3.6 / n/a |
| Event Commerce Wp Event Calendar | persistent cross-site scripting (XSS) | 1.0 |
| Event Registration | SQL Injection | 5.44 / n/a |
| Events Made Easy | Cross-Site Scripting (XSS) | 1.6.20 / 1.6.21 |
| Ewww Image Optimizer | Remote Code Execution | 2.8.3 / 2.8.4 |
| Ez Portfolio | Multiple Cross-Site Scripting (XSS) | 1.0.1 / 1.0.2 |
| Ezpz One Click Backup | Unauthenticated Comm& Execution | 12.03.10 / n/a |
| Facebook Opengraph Meta Plugin | SQL Injection | 1.0 / n/a |
| Facebook Page Photo Gallery | DOM Cross-Site Scripting (XSS) | 2.0.9 / n/a |
| Faq Wd | Cross-Site Scripting (XSS) | 1.0.14 / 1.0.17 |
| Fast Image Adder | Unauthenticated Remote File Upload | 1.1 / n/a |
| Favicon By Realfavicongenerator | Cross-Site Scripting (XSS) | 1.2.12 / 1.2.13 |
| Fbpromotions | SQL Injection | 1.3.3 / n/a |
| Feedweb | Cross-Site Scripting (XSS) | 1.8.8 / 1.9 |
| Feedwordpress | XSS & SQL-Injection | 2015.0426 / 2015.0514 |
| File Groups | SQL Injection | 1.1.2 / n/a |
| Filedownload | arbitrary file viewing | 0.1 |
| Flash Album Gallery | Full Path Disclosure | 4.24 / 4.25 |
| Flickr Justified Gallery | Reflected Cross-Site Scripting (XSS) | 3.3.6 / 3.4.0 |
| Floating Social Bar | Cross-Site Scripting (XSS) | 1.1.5 / 1.1.7 |
| Floating Social Media Icon | Authenticated Stored Cross-Site Scri… | 2.1 / 2.2 |
| Floating Social Media Links | fsml-admin.js.php wpp Parameter R… | 1.4.2 / 1.4.3 |
| Fluid Respnsive Slideshow | CSRF & XSS | 2.2.6 / n/a |
| Font | Authenticated Path Traversal | 7.5 / 7.5.1 |
| Foobox Image Lightbox | Cross-Site Scripting (XSS) | 1.0.4 / 1.0.5 |
| Form Lightbox | option update | 1.1 / 2.1 |
| Formbuilder | Multiple Authenticated SQL Injection | 1.0.7 / 1.0.8 |
| Formidable | Authenticated Blind SQL Injection | 1.07.11 / 2.0 |
| Forum Server | wpf-insert.php edit_post_id Parameter SQL Inj… | 1.7.3 / 1.7.4 |
| Fossura Tag Miner | Cross-Site Request Forgery (CSRF) | 1.1.2 / 1.1.5 |
| Freshmail Newsletter | shortcode.php SQL Injection | 1.5.8 / 1.6 |
| Front End Upload | Arbitrary File Upload | 0.5.4.4 / 0.5.4.5 |
| Front File Manager | arbitrary file upload | 0.1 |
| Frontend Uploader | Cross Site Scripting (XSS) | 0.9.2 / n/a |
| Fs Real Estate Plugin | SQL injection | 1.1 / 2.06.03 |
| Fv WordPress Flowplayer | Authenticated Stored Cross-Site Scr… | 6.0.3.3 / 6.0.3.4 |
| G Translate | remote code execution (RCE) | 1.0 / 1.3 |
| G Web Shop | ajax_file_cut.php selectedDoc Parameter Remo… | 2.2.3 / 2.2.4 |
| Gallery Bank | Authenticated Blind SQL Injection | 3.0.229 / 3.0.330 |
| Gallery By Supsystic | Authenticated Stored Cross-Site Sc… | 1.8.5 / 1.8.6 |
| Gallery Images | Stored Cross-Site Scripting (XSS) | 2.0.5 / 2.0.6 |
| Gallery Objects | SQL Injection | 0.4 / n/a |
| Gallery Slider | remote code execution (RCE) | 2.0 / 2.1 |
| Gd Bbpress Attachments | Authenticated Reflected Cross-Site Scrip… | 2.2 / 2.3 |
| Gd Star Rating | Cross-Site Scripting (XSS) | 1.9.16 / n/a |
| Genesis Simple Defaults | arbitrary file upload | 1.0.0 |
| Geo Mashup | Cross-Site Scripting (XSS) | 1.8.2 / 1.8.3 |
| Geshi Source Colorer | XSS in ZeroClipboard | 0.13 / n/a |
| Ghost | Unrestricted Export Download | 0.5.5 / 0.5.6 |
| Gi Media Library | Arbitrary File Download | 2.2.2 / 3.0 |
| Gigpress | Authenticated XSS & Blind SQLi | 2.3.10 / 2.3.11 |
| Global Content Blocks | SQL Injection | 1.2 / n/a |
| Gocodes | Authenticated XSS & Blind SQL Injection | 1.3.5 / n/a |
| Godaddy Email Marketing Sign Up Forms | Cross-Site Request Forgery (CSRF) | 1.1.3 / 1.1.4 |
| Google Adsense And Hotel Booking | Open Proxy | 1.05 / n/a |
| Google Analyticator | Multiple Cross-Site Scripting (XSS) | 6.4.9.4 / 6.4.9.6 |
| Google Analytics Analyze | remote code execution (RCE) | 1.0 |
| Google Analytics For WordPress | Authenticated Stored Cross-Site Scr… | 5.4.4 / 5.4.5 |
| Google Authenticator | Two Factor Authentication Bypass | 0.47 / 0.48 |
| Google Captcha | Authentication Bypass | 1.12 / 1.13 |
| Google Document Embedder | Cross-Site Scripting (XSS) | 2.5.18 / 2.5.19 |
| Google Language Translator | Authenticated Cross-Site Scripting… | 4.0.9 / 5.0.0 |
| Google Map Wp | Authenticated SQL Injection | 2.2.5 / n/a |
| Google Maps | Authenticated Reflected Cross-Site Scripting (XSS) | 2.1.3 / 2.1.4 |
| Google Maps By Daniel Martyn | remote code exection (RCE) | 1.0 |
| Google Mp3 Audio Player | arbitrary file viewing | 1.0.9 / 1.0.11 |
| Google Seo Author Snippets | Reflected Cross-Site Scripting (XSS) | 1.2.6 / 1.2.7 |
| Googmonify | CSRF & XSS | 0.5.1 / n/a |
| Gotmls | XSS & CSRF | 4.15.42 / 4.15.43 |
| Grapefile | Arbitrary File Upload | 1.1 / n/a |
| Gravity File Ajax Upload Free | Arbitrary File Upload | 1.1 / n/a |
| Gravityforms | Authenticated Blind Cross-Site Scripting (XSS) | 2.0.6.5 / 2.0.7 |
| Groupdocs Comparison | Multiple Parameter XSS | 1.0.2 / 1.0.3 |
| Gtranslate | Unauthenticated Open Redirect | 2.8.10 / 2.8.11 |
| Gwolle Gb | Cross-Site Request Forgery (CSRF) | 2.1.0 / 2.1.1 |
| Haiku Minimalist Audio Player | jPlayer.swf XSS | 1.1.0 |
| Hb Audio Gallery Lite | arbitrary file viewing | 1.0.0 |
| Hdw Tube | Unauthenticated Reflected Cross-Sit… | 1.2 / n/a |
| Hero Maps Pro | Unauthenticated Reflected Cross-Site Scripting … | 2.1.0 / n/a |
| Hide_my_wp | Stored-Cross Site Scripting (XSS) | 4.53 / 4.54 |
| History Collection | Arbitraty File Download | 1.1.1 / n/a |
| Html5avmanager | arbitrary file upload | 0.1.0 / 0.2.7 |
| I Dump Iphone To WordPress Photo Uploader | File Upload | 1.8 / n/a |
| Ibs Mappro | Directory Traversal | 0.6 / 1.0 |
| Icegram | Cross-Site Request Forgery (CSRF) | 1.9.18 / 1.9.19 |
| Iframe | Authenticated Stored Cross-Site Scripting (XSS) | 3.0 / 4.0 |
| Iframe Admin Pages | Cross Site Scripting | 0.1 / n/a |
| Image Export | Directory Traversal | 1.1.0 / n/a |
| Image Gallery With Slideshow | Arbitrary File Upload / SQL Injection | 1.5 / n/a |
| Image Slider Widget | Authenticated Arbitrary File Deletion | 1.1.89 / 1.1.90 |
| Imdb Widget | Local File Inclusion (LFI) | 1.0.8 / 1.0.9 |
| Import Woocommerce | Reflected Cross-Site Scripting (XSS) | 1.0.1 / 1.1 |
| Inazo Advanced Ads Management | Authenticated Stored Cross-Site Scripti… | 1.3 / 1.4 |
| Inboundio Marketing | Shell Upload | 2.0.3 / n/a |
| Incoming Links | referrers.php XSS | 0.9.9b / 0.9.10b |
| Indexisto | Unauthenticated Reflected Cro… | 1.0.5 / n/a |
| Indieweb Post Kinds | DOM Cross-Site Scripting (XSS) | 1.3.1 / 1.3.1.1 |
| Infusionsoft | Unauthenticated Reflected … | 1.5.11 / 1.5.12 |
| Inpost Gallery | local file inclusion (LFI) | 2.0.9 / 2.1.2 |
| Insert Html Snippet | Cross-Site Request Forgery (CSRF) | 1.2 / 1.2.1 |
| Instagram Feed | Authenticated Cross-Site Scripting (XSS) & … | 1.4.6.2 / 1.4.7 |
| Instalinker | Reflected Cross-Site Scripting (XSS) | 1.1.1 / 1.1.2 |
| Invit0r | arbitrary file upload | 0.2 / 0.22 |
| Ip Blacklist Cloud | Arbitrary File Disclosure | 3.42 / 3.43 |
| Ip Logger | SQL Injection | 3.0 / n/a |
| Iq Block Country | Authenticated Reflected Cross-Site Scriptin… | 1.1.19 / 1.1.20 |
| Is Human | Remote Comm& Execution | 1.4.2 / n/a |
| Itwitter | XSS & CSRF | 0.04 / n/a |
| Iwp Client | Unauthenticated PHP Object Injection | 1.6.0 / 1.6.1.1 |
| Jammer | jPlayer.swf XSS | 0.2 / n/a |
| Jaspreetchahals Coupons Lite | XSS in ZeroClipboard | 2.1 / n/a |
| Java Trackback | XSS in ZeroClipboard | 0.2 / n/a |
| Jetpack | Multiple Vulnerabilities | 4.0.3 / 4.0.4 |
| Jm Twitter Cards | Full Path Disclosure (FPD) | 6.1 / 6.2 |
| Job Manager | Authenticated Reflected Cross-Site Scripting (XSS) | 0.7.24 / 0.7.25 |
| Joliprint | Cross Site Scripting | 1.3.0 / n/a |
| Js Appointment | SQL Injection | 1.5 / n/a |
| Js_composer | Multiple Unspecified Cross-Site Scripting (XSS) | 4.7.3 / 4.7.4 |
| Json Rest Api | Cross-Site Scripting (XSS) | 1.2.2 / 1.2.3 |
| Jssor Slider | arbitrary file upload | 1.0 / 1.3 |
| Jw Player Plugin For WordPress | Authenticated Cross-Site Sc… | 2.1.14 / n/a |
| Kento Post View Counter | CSRF & multiple XSS | 2.8 / n/a |
| Kiwi Logo Carousel | Authenticated Cross-Site Scripting (XSS) | 1.7.1 / 1.7.2 |
| Knr Author List Widget | SQL Injection | 2.0.0 / n/a |
| Landing Pages | Reflected Cross-Site Scripting (XSS) | 2.2.4 / 2.2.5 |
| Lazy Load | Cross-Site Scripting (XSS) | 0.6 / 0.6.1 |
| Lazyest Gallery | EXIF Script Insertion | 1.1.20 / 1.1.21 |
| Leaflet | Cross Site Scripting | 0.0.1 / n/a |
| Leaguemanager | Unauthenticated SQL Injection | 3.9.11 / n/a |
| Leenkme | XSS & CSRF | 2.5.0 / 2.6.0 |
| Lightbox | Cross-Site Scripting (XSS) | 1.6.7 / 1.6.8 |
| Like Dislike Counter For Posts Pages And Comments | SQL injection | 1.0 / 1.2.3 |
| Link Library | Authenticated Reflected Cross-Site Scripting… | 5.9.12.29 / 5.9.12.30 |
| Liveforms | Unauthenticated Stored Cross-Site Scripting (XSS) | 1.2.0 / 1.3.0 |
| Mac Dock Gallery | arbitrary file upload | 1.0 / 2.7 |
| Magic Fields | Authenticated Cross-Site Scripting (XSS) | 1.7.1 / 1.7.2 |
| Magn Html5 Drag And Drop Media Uploader | Upload Shell Upload | 1.1.4 / n/a |
| Mailchimp For Wp | Authenticated Cross-Site Scripting (… | 4.0.10 / 4.0.11 |
| Mailchimp Integration | remote code execution (RCE) | 1.0.1 / 1.1 |
| Mailchimp Subscribe Sm | Email Field Remote PHP Code Execution | 1.1 / 1.2 |
| Mailcwp | Unauthenticated Arbitrary File Upload | 1.99 / 1.110 |
| Mailpress | local file inclusion (LFI) | 5.2 / 5.4.6 |
| Mainwp | Unauthenticated Stored Cross-Site Scripting (XSS) | 3.1.2 / 3.1.3 |
| Mainwp Child | Unspecified | 2.0.22 / 2.0.23 |
| Manual Image Crop | Authenticated Reflected Cross-Site Scripting… | 1.10 / 1.11 |
| Markdown On Save Improved | Stored Cross-Site Scripting (XSS) | 2.5 / 2.5.1 |
| Mashsharer | Information Disclosure | 2.3.0 / 2.3.1 |
| Master Slider | Reflected Cross-Site Scripting (XSS) | 2.7.1 / 2.8.0 |
| Mdc Private Message | Authenticated Stored Cross-Site Scripting… | 1.0.0 / 1.0.1 |
| Mdc Youtube Downloader | Local File Inclusion | 2.1.0 / 2.1.1 |
| Media File Manager Advanced | Multiple Vulnerabilites | 1.1.5 / n/a |
| Media File Renamer | Stored Cross-Site Scripting (XSS) | 1.7.0 / 2.2.2 |
| Media Library Categories | SQL Injection | 1.0.6 / n/a |
| Membersonic Lite | Authentication Bypass | 1.2 / 1.302 |
| Memphis Documents Library | Arbitrary File Download | 3.1.5 / 3.1.6 |
| Menu Image | malicious JavaScript loading | 2.6.5 / 2.6.9 |
| Microblog Poster | Authenticated Blind SQL Injection | 1.6.0 / 1.6.2 |
| Mingle Forum | Cross Site Scripting / SQL Injection | 1.0.32.1 / n/a |
| Ml Slider | Cross-Site Scripting (XSS) | 2.5 / 2.6 |
| Mm Duplicate | SQL Injection | 1.2 / n/a |
| Mm Forms Community | SQL Injection | 1.2.3 / n/a |
| Mobile Domain | CSRF/XSS | 1.5.2 / n/a |
| Mobileview | XSS in ZeroClipboard | 1.0.7 / n/a |
| Monetize | Cross-Site Scripting (XSS) & CSRF | 1.03 / n/a |
| Moodthingy Mood Rating Widget | Multiple SQL Injection | 0.9.1 / 0.9.2 |
| Mp3 Jplayer | Full Path Disclosure | 2.3.3 / n/a |
| Mtouch Quiz | Multiple Vulnerabilities XSS & CSRF | 3.1.2 / 3.1.3 |
| Multi Plugin Installer | Unauthenticated File Traversal | 1.1.0 / 1.2.0 |
| Multicons | Authenticated Stored Cross-Site Scripting (XSS) | 2.1 / 3.0 |
| Multisite Post Duplicator | Cross-Site Request Forgery (CSRF) | 0.9.5.1 / 1.1.3 |
| Music Store | Cross-Site Scripting (XSS) | 1.0.41 / 1.0.43 |
| My Calendar | Arbitrary File Override & Reflected XSS | 2.3.29 / 2.3.30 |
| My Category Order | Authenticated Cross-Site Scripting (XSS) | 4.3 / n/a |
| My Link Order | Authenticated Cross-Site Scripting (XSS) | 4.3 / n/a |
| My Page Order | Authenticated Cross-Site Scripting (XSS) | 4.3 / n/a |
| Myflash | (wppath) RFI | 1.00 / n/a |
| Mygallery | Remote File Inclusion | 1.4b4 / n/a |
| Mypixs | Unauthenticated Local File Inclusion (LFI) | 0.3 / n/a |
| Mystat | SQL Injection | 2.6 / n/a |
| Mz Jajak | index.php id Parameter SQL Injection | 2.1 / n/a |
| Nelio Ab Testing | Server Side Request Forgery (SSRF) | 4.5.8 / 4.5.9 |
| Network Publisher | Cross Site Scripting | 5.0.1 / n/a |
| Neuvoo Jobroll | Unauthenticated Reflected Cross-Site Scripting (… | 2.0 / n/a |
| New Year Firework | Unauthenticated Reflected Cross-Site Script… | 1.1.9 / n/a |
| Newsletter | SQL Injection | 3.0.8 / 3.0.9 |
| Newsletter Manager | Cross Site Scripting | 1.0.2 |
| Newstatpress | Stored Cross-Site Scripting (XSS) | 1.2.4 / 1.2.5 |
| Nex Forms Express Wp Form Builder | Unauthenticated Blind SQL Injection | 4.0 / 4.6.1 |
| Nextend Facebook Connect | Cross-Site Request Forgery (CSRF) | 1.5.7 / 1.5.8 |
| Nextend Twitter Connect | Reflected Cross-Site Scripting (XSS) | 1.5.1 / 1.5.2 |
| Nextgen Gallery | Unauthenticated SQL Injection | 2.1.77 / 2.1.79 |
| Ninja Forms | Authenticated SQL Injection | 2.9.55.1 / 2.9.55.2 |
| Nmedia User File Uploader | Arbitrary File Upload | 3.9 / 4.0 |
| Nofollow Links | Cross-Site Scripting (XSS) | 1.0.10 / 1.0.11 |
| Nokia Mapsplaces | Reflected Cross-Site Scripting (XSS) | 1.6.6 / 1.6.7 |
| Oauth2 Provider | Insecure Pseudor&om Number Generation | 3.1.4 / 3.1.5 |
| Odihost Newsletter Plugin | SQL Injection | 1.0 / n/a |
| Olevmedia Shortcodes | Authenticated Reflected Cross-Site Scrip… | 1.1.8 / 1.1.9 |
| Olimometer | Unauthenticated SQL Injection | 2.56 / 2.57 |
| Onelogin Saml Sso | Signature Wrapping | 2.4.2 / 2.4.3 |
| Optinmonster | Execution of Arbitrary Shortcodes | 1.1.4.5 / 1.1.4.6 |
| Option Seo | remote code execution (RCE) | 1.5 |
| Oqey Gallery | SQL Injection | 0.4.8 / n/a |
| Oqey Headers | SQL Injection | 0.3 / n/a |
| Orbisius Child Theme Creator | Arbitrary File Write | 1.2.6 / 1.2.8 |
| P3 Profiler | Cross-Site Scripting (XSS) | 1.5.3.8 / 1.5.3.9 |
| Page Flip Image Gallery | Remote FD Vuln | 0.2.2 / n/a |
| Page Google Maps | remote code execution (RCE) | 1.4 |
| Page Layout Builder | Unauthenticated Reflected Cross-Site Scripting (XSS) | 2.0.2 / n/a |
| Pagerestrict | Authenticated Stored Cross-Site Scripting (XSS) | 2.2.1 / 2.2.2 |
| Paid Downloads | SQL Injection | 2.01 / n/a |
| Parsi Font | Unauthenticated Reflected Cross-Site Scriptin… | 4.2.5 / 4.3 |
| Party Hall Booking Management System | SQL injection | 1.0 / 1.1 |
| Pay With Tweet | Multiple Vulnerabilities | 1.1 / n/a |
| Payment Form For Paypal Pro | Multiple Reflected Cross-Site Scr… | 1.0.1 / 1.0.2 |
| Paypal Currency Converter Basic For Woocommerce | File Read | 1.3 / 1.4 |
| Paypal Digital Goods Monetization Powered By Cleeng | XSS in Z… | 2.2.13 / n/a |
| Pdf Print | Cross Site Scripting | 1.7.4 / 1.7.5 |
| Peepso Core | Authenticated Privilege Escalation | 1.6.0 / 1.6.1 |
| Persian Woocommerce Sms | Reflected Cross-Site Scripting (XSS) | 3.3.3 / 3.3.4 |
| Peters Login Redirect | Cross-Site Scripting (XSS) & CSRF | 2.9.0 / 2.9.1 |
| Photo Gallery | Cross-Site Scripting (XSS) | 1.2.11 / 1.2.13 |
| Photoracer | SQL Injection | 1.0 / n/a |
| Php Analytics | arbitrary file upload | n/a |
| Php Event Calendar | Arbitrary File Upload | 1.5 / 1.5.1 |
| Php_speedy_wp | (admin_container.php) Remote Code Exec Exploit | 0.5.2 / n/a |
| Pica Photo Gallery | arbitrary file viewing | 1.0 |
| Pictpress | Remote File Disclosure | 0.91 / n/a |
| Pie Register | Authenticated Blind SQL Injection | 2.0.18 / 2.0.19 |
| Pitchprint | arbitrary file upload | 7.1 / 7.1.1 |
| Pixabay Images | Multiple Vulnerabilities (RCE, XSS, …) | 2.3 / 2.4 |
| Placester | XSS in ZeroClipboard | 0.3.12 / n/a |
| Player | Multiple Authenticated Blind SQL Inje… | 1.5.16 / 1.5.18 |
| Plugin Central | Authenticated Reflected Cross-Site Scripting (XSS) | 2.5 / 2.5.1 |
| Plugin Newsletter | arbitrary file viewing | 1.3 / 1.5 |
| Plugmatter Optin Feature Box Lite | Unauthenticated Blind SQL Injec… | 2.0.13 / 2.0.14 |
| Plugnedit | Authenticated Stored Cross-Site Scr… | 5.2.0 / 6.2.0 |
| Pluscaptcha | Cross-Site Request Forgery (CSRF) | 2.0.14 / 2.1.0 |
| Podlove Podcasting Plugin For WordPress | Multiple SQLi & XSS | 2.3.15 / 2.3.16 |
| Pods | Blind SQL Injection | 2.5.1.1 / 2.5.1.2 |
| Polldaddy | Shortcode Stored Cross-Site Script… | 2.0.31 / 2.0.32 |
| Pondol Formmail | Unauthenticated Reflected Cross-Site Script… | 1.1 / n/a |
| Portfolio Gallery | Reflected Cross-Site Scripting (XSS) | 2.1.10 / 2.1.11 |
| Post Duplicator | Cross-Site Scripting (XSS) | 2.16 / 2.17 |
| Post Expirator | Cross-Site Request Forgery | 2.1.1 / 2.1.2 |
| Post Grid | Unauthenticated Arbitrary File Deletion | 2.0.12 / 2.0.13 |
| Post Highlights | SQL Injection | 2.2 / n/a |
| Post Indexer | Authenticated SQL Injection | 3.0.6.1 / 3.0.6.2 |
| Postmatic | Cross-Site Scripting (XSS) | 1.4.5 / 1.4.6 |
| Posts In Page | authenticated local file inclusion (LFI) | 1.0.0 / 1.2.4 |
| Powerpress | Authenticated Cross-Site… | 6.0.4 / 6.0.5 |
| Pretty Link | Authenticated SQL Injection | 1.6.7 / 1.6.8 |
| Prettyphoto | DOM Cross-Site Scripting (XSS) | 1.1 / 1.2 |
| Private Only | CSRF & XSS | 3.5.1 / n/a |
| Profile Builder | Reflected Cross-Site Scripting (XSS) | 2.4.1 / 2.4.2 |
| Profiles | SQL Injection | 2.0RC1 / n/a |
| Ptengine Real Time Web Analytics And Heatmap | Reflected Cross-Site Scripting (XSS) | 1.0.1 / 1.0.2 |
| Pure Html | SQL Injection | 1.0.0 / n/a |
| Pwgrandom | CSRF & XSS | 1.11 / n/a |
| Q2w3 Inc Manager | XSS in ZeroClipboard | 2.3.1 / n/a |
| Qtranslate | Cross-Site Scripting (XSS) | 2.5.39 / n/a |
| Qtranslate X | Authenticated Reflected Cross-Site Scripting (XSS) | 3.4.3 / 3.4.4 |
| Quiz Master Next | Stored Cross-Site Scripting (XSS) & CSRF | 4.7.8 |
| Quotes And Tips | Cross Site Scripting | 1.19 / 1.20 |
| Quotes Collection | Reflected Cross-Site Scripting (XSS) | 2.0.5 / 2.0.6 |
| Really Simple Guest Post | File Include | 1.0.6 / 1.0.7 |
| Recent Backups | Remote File Download | 0.7 / n/a |
| Recent Posts Widget Extended | Authenticated XSS (multisite) | 0.9.9.3 / 0.9.9.4 |
| Redirection Page | CSRF/XSS | 1.2 / n/a |
| Reflex Gallery | Arbitrary File Upload | 3.1.3 / 3.1.4 |
| Register Plus Redux | Cross Site Scripting | 3.8.3 / n/a |
| Rejected Wp Keyword Link Rejected | Authenticated Stored Cross-Site Scripting (XSS) | 1.7 / n/a |
| Related Posts For Wp | Cross-Site Scripting (XSS) | 1.8.1 / 1.8.2 |
| Relevanssi | Cross-Site Scripting (XSS) | 3.3.7.1 / 3.3.8 |
| Relevanssi Premium | SQL Injection & PHP Object Injection | 1.14.4 / 1.14.6.1 |
| Relevant | Cross Site Scripting | 1.0.7 / 1.0.8 |
| Remote Upload | Unrestricted File Upload | 1.2.1 / 1.2.2 |
| Resads | Reflected Cross-Site Scripting (XSS) | 1.0.1 / 1.0.2 |
| Rest Api | Unauthenticated Sensitive Informa… | 13 / 13.1 |
| Resume Submissions Job Postings | Unrestricted File Upload | 2.5.1 / 2.5.2 |
| Return To Top | remote code execution (RCE) | 1.8 / 5.0 |
| Revslider | arbitrary file viewing | 1.0 / 4.1.4 |
| Rich Counter | Cross-Site Scripting (XSS) | 1.1.5 / 1.2.0 |
| Robo Gallery | Remote Code Execution | 2.0.14 / 2.0.15 |
| Role Scoper | Unauthenticated Reflected Cross-Site Scripting (… | 1.3.66 / 1.3.67 |
| Royal Slider | Authenticated Cross-Site Scripting (XSS) | 3.2.6 / 3.2.7 |
| S3 Video | Unauthenticated Reflected Cross-Site Scriptin… | 0.983 / n/a |
| S3bubble Amazon S3 Audio Streaming | Arb… | 2.0 / n/a |
| S3bubble Amazon S3 Html 5 Video With Adverts | arbitrary file viewing | 0.5 / 0.7 |
| Sabre | Cross Site Scripting | 1.2.0 / 1.2.2 |
| Safe Editor | Unauthenticated CSS/JS-injection | 1.1 / 1.2 |
| Sam Pro Free | Local File Inclusion (LFI) | 1.9.6.67 / 1.9.7.69 |
| Scorerender | XSS in ZeroClipboard | 0.3.4 / n/a |
| Scormcloud | SQL Injection | 1.0.6.6 / 1.0.7 |
| Se Html5 Album Audio Player | Local File Include | 1.1.0 / n/a |
| Search And Share | XSS in ZeroClipboard | 0.9.3 / n/a |
| Search Autocomplete | SQL Injection | 1.0.8 / n/a |
| Searchterms Tagging 2 | Authenticated SQL Injection | 2 1.535 / n/a |
| Securemoz Security Audit | MitM PHP Object Injection | 1.0.5 / n/a |
| Sell Downloads | arbitrary file viewing | 1.0.1 |
| Sendit | Blind SQL Injection | 1.5.9 / n/a |
| Sendpress | Authenticated SQL Injection | 1.1.7.21 / 1.2 |
| Seo Image | Cross-Site Scripting (XSS) | 3.0.4 / 3.0.5 |
| Seo Keyword Page | remote code execution (RCE) | 2.0.5 |
| Seo Rank Reporter | Authenticated Reflected Cross-Site Scriptin… | 2.2.2 / n/a |
| Seo Redirection | Authenticated Reflected Cross-Site Scrip… | 2.8 / 2.9 |
| Seo Spy Google WordPress Plugin | arbitrary file upload | 2.0 / 2.6 |
| Seo Watcher | arbitrary file upload | 1.3.2 / 1.3.3 |
| Sexy Contact Form | arbitrary file upload | 0.9.1 / 0.9.8 |
| Sh Slideshow | SQL Injection | 3.1.4 / n/a |
| Share And Follow | Cross Site Scripting | 1.80.3 / n/a |
| Share Buttons Wp | remote code execution (RCE) | 1.0 |
| Sharebar | sharebar-admin.php page Parameter XSS | 1.2.5 / n/a |
| Shariff Sharing | Stored Cross-Site Scripting (XSS) | 1.0.7 / 1.0.8 |
| Shortcode Redirect | Stored Cross Site Scripting | 1.0.01 / n/a |
| Showbiz | arbitrary file viewing | 1.0 / 1.5.2 |
| Si Contact Form | Authenticated Cross-Site Scripting … | 4.0.37 / 4.0.38 |
| Simpel Reserveren | Unauthenticated Reflected Cross-Site Scri… | 3.5.2 / n/a |
| Simple Ads Manager | SQL Injection | 2.9.4.116 / 2.9.5.118 |
| Simple Backup | Arbitrary File Download | 2.7.10 / 2.7.11 |
| Simple Download Button Shortcode | arbitrary file viewing | 1.0 |
| Simple Download Monitor | Insufficient Authorisation | 3.2.8 / 3.2.9 |
| Simple Dropbox Upload Form | arbitrary file upload | 1.8.6 / 1.8.8 |
| Simple Fields | Authenticated Reflected Cross-Site Scripting (… | 1.4.10 / 1.4.11 |
| Simple Image Manipulator | Remote File Download | 1.0 / n/a |
| Simple Membership | Cross-Site Scripting (XSS) | 3.2.8 / 3.2.9 |
| Simple Photo Gallery | Stored Cross-Site Scripting (XSS) | 1.8.0 / 1.8.1 |
| Simple Security | 2 x Cross-Site Scripting (XSS) | 1.1.5 / 1.1.6 |
| Simple Share Buttons Adder | Reflected Cross-Site Scripting (XSS) | 6.0.0 / 6.0.1 |
| Simple Support Ticket System | Unauthenticated SQL Injection | 1.2 / 1.2.1 |
| Simplr Registration Form | privilege escalation | 2.2.0 / 2.4.3 |
| Sirv | Authenticated SQL Injection | 1.3.1 / 1.3.2 |
| Site Import | remote page inclusion | 1.0.0 / 1.2.0 |
| Sitepress Multilingual Cms | Multiple Vulnerabilities (Including SQLi) | 3.1.7.2 / 3.1.9 |
| Slide Show Pro | arbitrary file upload | 2.0 / 2.4 |
| Slidedeck2 | XSS in ZeroClipboard | 2.1.20130228 / n/a |
| Slider Image | Authenticated Blind SQL Injection | 2.8.6 / 2.8.7 |
| Slideshow Gallery | Arbitrary file upload & Cross-Sit… | 1.5.3 / 1.5.3.4 |
| Sliding Social Icons | CSRF & Stored XSS | 1.61 / n/a |
| Smart Manager For Wp E Commerce | Unauthenticated SQL Inje… | 3.9.6 / 3.9.7 |
| Smart Slide Show | arbitrary file upload | 2.0 / 2.4 |
| Smart Slider 2 | Authenticated Reflected Cross-Site Scripting … | 2.3.11 / 2.3.12 |
| Smart Videos | remote code execution (RCE) | 1.0 |
| Smooth Slider | Authenticated SQL Injection | 2.6.5 / 2.7 |
| Snazzy Archives | swf/tagcloud.swf tagcloud Parameter XSS | 1.7.1 / 1.7.2 |
| Social Locker | Authenticated Reflected Cross-Site Scr… | 4.2.0 / 4.2.5 |
| Social Networking E Commerce 1 | arbitrary file upload | 0.0.32 |
| Social Networks Auto Poster Facebook Twitter G | Stored XSS | 3.4.17 / 3.4.18 |
| Social Share Button | Authenticated Stored Cross-Site Scripting (… | 2.1 / n/a |
| Social Sharing | possible arbitrary file upload | 1.0 |
| Social Slider 2 | social-slider-2/ajax.php rA Parameter SQL Injec… | 5.6.5 / 6.0.0 |
| Sola Support Tickets | XSS & Configuration Change | 3.12 / 3.13 |
| Soundcloud Is Gold | Unauthenticated Reflected Cross-Site Scrip… | 2.3.1 / 2.3.2 |
| Soundy Background Music | Reflected Cross-Site Scripting (XSS) | 3.1 / 3.2 |
| Sourceafrica | Unauthenticated Cross-Site Scripting (XSS) | 0.1.3 / n/a |
| Sp Client Document Manager | Multiple Vulnerabilities | 2.5.9.5 / 2.6.0.0 |
| Spamtask | arbitrary file upload | 1.3 / 1.3.6 |
| Spicy Blogroll | local file inclusion (LFI) | 0.1 / 1.0.0 |
| Spider Event Calendar | SQL Injection | 1.4.9 / 1.4.14 |
| Spider Facebook | Cross-Site Scripting (XSS) | 1.0.10 / 1.0.11 |
| Spotlightyour | arbitrary file upload | 1.0 / 4.5 |
| Stageshow | Open Redirect | 5.0.8 / 5.0.9 |
| Stats Counter | PHP object injection | 1.0 / 1.2.2.5 |
| Stats Wp | remote code execution | 1.8 |
| Stop User Enumeration | Username Enumeration Bypasses | 1.3.4 / 1.3.5 |
| Store Locator | Cross-Site Request Forgery | 2.6.1 / 2.12 |
| Store Locator Le | Authenticated Cross-Site Sc… | 4.5.10 / 4.5.11 |
| Stream | Unauthenticated Events Export | 3.0.5 / 3.0.6 |
| Stream Video Player | Setting Manipulation CSRF | 1.4.0 / n/a |
| Subscribe To Comments | Authenticated Local File Inclusion | 2.1.2 / 2.3 |
| Subscribe To Comments Reloaded | Authenticated Reflected Cross… | 150611 / 150820 |
| Subscribe2 | Cross Site Scripting | 8.0 / 8.1 |
| Super Captcha | SQL Injection | 2.2.4 / n/a |
| Supportflow | Stored Cross-Site Scripting (XSS) | 0.6 / 0.7 |
| Syndication Links | DOM Cross-Site Scripting (XSS) | 1.0.2 / 1.0.2.1 |
| Syntaxhighlighter | Unspecified Cross-Site Scripting (XSS) | 3.1.9 / 3.1.10 |
| Taxonomy Terms Order | Authenticated Cross-Sit… | 1.4.4 / 1.4.6.1 |
| Tera Charts | reflected cross-site scripting (XSS) | 0.1 / 1.0 |
| Testimonial Slider | Authenticated Stored Cross-Site Scripting … | 1.2.1 / n/a |
| Tevolution | Unrestricted File Upload | 2.2.7 / 2.3.0 |
| Thanks You Counter Button | Cross-Site Scripting (XSS) | 1.8.2 / 1.8.3 |
| The Events Calendar | Open Redirect | 4.1.1 / 4.1.1.1 |
| The Holiday Calendar | Cross-Site Scripting (XSS) | 1.11.2 / 1.11.3 |
| The Viddler WordPress Plugin | cross-site request forgery (CSRF)/cross-site scripting (XSS) | 1.2.3 / 2.0.0 |
| Thecartpress | Multiple Vulnerabilities | 1.3.9 / n/a |
| Theme Test Drive | Authenticated File Upload & XSS | 2.9 / 2.9.1 |
| Thethe Layout Grid | XSS in ZeroClipboard. | 1.0.0 / n/a |
| Thinkit Wp Contact Form | wp-admin/admin.php Contact Form Deletion CSRF | 0.3 / n/a |
| Tidio Form | Unauthenticated Reflected Cross-Site … | 1.0 / n/a |
| Tidio Gallery | Unauthenticated Reflected Cross-Site Scripting (… | 1.1 / n/a |
| Tiny Url | XSS in ZeroClipboard | 1.3.2 / n/a |
| Tinymce Advanced | Setting Reset Cross-Site Request Forgery (CSRF) | 4.1 / 4.2.3 |
| Tinymce Thumbnail Gallery | download-image.php Local File Inclu… | 1.0.7 / 1.1.0 |
| Top 10 | Cross-Site Scripting (XSS) | 2.3.0 / 2.3.1 |
| Track That Stat | Cross Site Scripting | 1.0.8 / 1.1.0 |
| Tune Library | SQL Injection | 1.5.4 / 1.5.5 |
| Tweet Old Post | Privilege Escalation | 6.9.0 / 6.9.4 |
| Tweet Wheel | Reflected Cross-Site Scripting (XSS) | 1.0.3.2 / 1.0.3.3 |
| Types | Cross-Site Scripting (XSS) | 1.8.7.2 / 1.8.8 |
| Ucan Post | Stored XSS | 1.0.09 / n/a |
| Uji Countdown | Cross-Site Scripting (XSS) | 2.0.6 / 2.0.7 |
| Ultimate Member | Unauthenticated Change Passwords | 1.3.75 / 1.3.76 |
| Ultimate Product Catalog | Privilege Escalation | 3.8.1 / 3.8.2 |
| Ultimate Product Catalogue | Unauthenticated Blind SQL Injection | 3.9.8 / 3.9.9 |
| Ultimate Profile Builder | CSRF/XSS | 2.3.3 / n/a |
| Ultimate Social Media Icons | Authenticated Stored Cross-Site… | 1.1.1.11 / 1.1.1.12 |
| Unconfirmed | unconfirmed.php s Parameter Reflected XSS | 1.2.4 / 1.2.5 |
| Ungallery | Local File Disclosure | 1.5.8 / 1.5.9 |
| Uninstall | WordPress Deletion via CSRF | 1.1 / 1.2 |
| Unite Gallery Lite | CSRF & Authenticated SQL Injection | 1.4.6 / 1.5 |
| Universal Analytics | Authenticated Cross-Site Scripting (XSS) | 1.3.0 / 1.3.1 |
| Unlimited Popups | Cross-Site Scripting (XSS) | 1.4.3 / 1.4.4 |
| Updraft | Cross-Site Scripting (XSS) | 1.9.6.3 / 1.9.6.4 |
| Updraftplus | Privilege Escalation | 1.9.50 / 1.9.51 |
| Usc E Shop | Session Management | 1.8.2 / 1.8.3 |
| User Meta Manager | Information Disclosure | 3.4.7 / 3.4.8 |
| User Role Editor | Privilege Escalation | 4.24 / 4.25 |
| User Submitted Posts | Stored Cross-Site Scripting (XSS) | 20151113 / 20160215 |
| Users To Csv | Cross-Site Request Forgery (CSRF) | 1.4.5 / n/a |
| Users Ultra | Authenticated Stored Cross-Sit… | 1.5.62 / 1.5.63 |
| Vaultpress | Backend Server SSL Verification Disabled | 1.8.6 / 1.8.7 |
| Video Playlist And Gallery Plugin | Authenticated Stored Cross-Site Scripting … | 1.136 / 1.137 |
| Videowhisper Live Streaming Integration | Cross-Site Scripting… | 4.25.3 / n/a |
| Videowhisper Video Presentation | SQL Injection | 1.1 / n/a |
| Visitor Maps | Authenticated Stored Cross-Site… | 1.5.8.6 / 1.5.8.7 |
| Visual Form Builder | SQL Injection & Reflected XSS | 2.8.2 / 2.8.3 |
| Vn Calendar | Multiple Cross-Site Scripting (XSS) | 1.0 / n/a |
| W3 Total Cache | Information Disclosure Race Condition | 0.9.4.1 / 0.9.5 |
| Wangguard | Authenticated Reflected Cross-Site Scripting (XSS) | 1.7.2 / 1.7.3 |
| Wassup | Cross Site Scripting | 1.9 / 1.9.1 |
| Watupro | Cross-Site Request Forgery (CSRF) | 4.8.8.4 / 4.9.0.8 |
| Web Tripwire | arbitrary file upload | 0.1.2 |
| Websimon Tables | Authenticated Reflected Cross-Site Scripting … | 1.3.4 / n/a |
| Website Contact Form With File Upload | Local File Inclusion | 1.5 / 1.6 |
| Weever Apps 20 Mobile Web Apps | arbitrary file upload | 3.0.25 / 3.1.6 |
| White Label Cms | Stored XSS | 1.5.2 / 1.5.3 |
| Whizz | Unauthenticated Reflected Cross-Site Scripting (XSS) | 1.0.7 / 1.0.8 |
| Woo Custom Checkout Field | CSRF & Stored XSS | 1.3.4 / 1.3.5 |
| Woo Email Control | Reflected Cross-Site Scripting (XSS) & CSRF | 1.01 / 1.02 |
| Woocommerce | Authenticated Tax-Rate CSV XSS | 2.6.8 / 2.6.9 |
| Woocommerce Abandoned Cart | Authenticated Blind SQL Injection | 1.8 / 1.9 |
| Woocommerce Product Addon | Arbitrary File Upload | 1.1 / 2.0 |
| Woocommerce Products Filter | authenticated persistent cross-site scripting (XSS) | 1.1.4 / 1.1.4.2 |
| Woopra | arbitrary file upload | 1.4.1 / 1.4.3.1 |
| Wordfence | Cross-Site Scripting (XSS) | 5.1.4 / 5.1.5 |
| WordPress Donation Plugin With Goals And Paypal Ipn By Nonprofitcmsorg | SQL Injection | 1.0 / n/a |
| WordPress File Monitor | persistent cross-site scripting (XSS) | 2.0 / 2.3.3 |
| WordPress Flash Uploader | Arbitrary Comm& Execution | 3.1.2 / 3.1.3 |
| WordPress Form Manager | Authenticated Remote Comm& Execution (RCE) | 1.7.2 / 1.7.3 |
| WordPress Meta Robots | Authenticated Blind SQL Injection | 2.1 / n/a |
| WordPress Mobile Pack | Information Disclosure | 2.1.2 / 2.1.3 |
| WordPress Seo | Authenticated Stored Cross-Site Scripting (XSS) | 3.4.0 / 3.4.1 |
| WordPress Seo Premium | Cross-Site Scripting (XSS) | 2.0.1 / 2.1 |
| WordPress Simple Paypal Shopping Cart | Cross-Site Request Forgery (CSRF) | 3.5 / 3.6 |
| Wordtube | (wpPATH) RFI | 1.43 / n/a |
| Work The Flow File Upload | Shell Upload | 2.5.2 / 2.5.3 |
| Wp Advance Comment | Stored Cross-Site Scripting (XSS) | 0.10 / 0.11 |
| Wp Advanced Importer | Reflected Cross-Site Scripting (XSS) | 2.1.1 / 2.2 |
| Wp All Import | Multiple Vulnerabilities | 3.2.4 / 3.2.5 |
| Wp All Import Pro | Multiple Vulnerabilities | 4.1.1 / 4.1.2 |
| Wp Appointment Schedule Booking System | persistent cross-site scripting (XSS) | 1.0 |
| Wp Attachment Export | Unauthenticated File Download | 0.2.3 / 0.2.4 |
| Wp Audio Gallery Playlist | SQL Injection | 0.12 / n/a |
| Wp Auto Affiliate Links | Authenticated Blind SQL Injection | 4.9.9.4 / 5.0 |
| Wp Autoyoutube | Blind SQL Injection | 0.1 / n/a |
| Wp Backitup | Backup File Disclosure | 1.9.1 / 1.9.2 |
| Wp Bannerize | SQL Injection | 2.8.6 / 2.8.7 |
| Wp Business Intelligence | SQL Injection | 1.6.1 / 1.6.2 |
| Wp Business Intelligence Lite | SQL Injection | 1.6.1 / 1.6.2 |
| Wp Cerber | Unauthenticated Stored XSS | 2.0.1.6 / 2.7 |
| Wp Championship | Authenticated Blind SQL Injection | 5.8 / 5.9 |
| Wp Clone By Wp Academy | XSS in ZeroClipboard | 2.1.1 / n/a |
| Wp Construction Mode | Cross-Site Scripting (XSS) | 1.91 / 1.92 |
| Wp Copyprotect | CSRF & Stored Cross-Site Scripting (XSS) | 3.0.0 / 3.1.0 |
| Wp Cron Dashboard | Reflected Cross-Site Scripting (XSS) | 1.1.5 / 1.1.6 |
| Wp Crontrol | Authenticated Reflected Cross-Site Scripting (XSS) | 1.2.3 / 1.3 |
| Wp Cumulus | Vulnerabilities | 1.20 / n/a |
| Wp Custom Page | arbitrary file viewing | 0.5 / 0.5.0.1 |
| Wp D3 | Cross-Site Request Forgery (CSRF) | 2.4 / 2.4.1 |
| Wp Database Backup | Cross-Site Request Forgery (CSRF) | 4.3.5 / 4.3.6 |
| Wp Dreamworkgallery | arbitrary file upload | 2.0 / 2.3 |
| Wp Ds Faq | ajax.php id Parameter SQL Injection | 1.3.2 / n/a |
| Wp E Commerce | SQL Injection in sessionid | 3.11.3 / 3.11.4 |
| Wp Easy Gallery | Reflected Cross-Site Scripting (XSS) | 4.1.4 / 4.1.5 |
| Wp Easy Poll Afo | Cross-Site Scripting (XSS) & CSRF | 1.1.3 / 1.1.4 |
| Wp Easy Slideshow | Multiple Cross-Site Request Forgery (CSRF) | 1.0.3 / n/a |
| Wp Easybooking | reflected cross-site scripting (XSS) | 1.0.0 / 1.0.3 |
| Wp Easycart | Unrestricted File Upload | 3.0.15 / 3.0.16 |
| Wp Ecommerce Shop Styling | Local File Inclusion | 2.5 / 2.6 |
| Wp Editor | Multiple Cross-Site Scripting (XSS) | 1.2.6.2 / 1.2.6.3 |
| Wp Email | SQL Injection | 2.67.1 / 2.67.2 |
| Wp External Links | Multiple Cross-Site Scripting (XSS) | 1.80 / 1.81 |
| Wp Facethumb | Reflected Cross Site Scripting | 0.1 / n/a |
| Wp Fast Cache | CSRF & Cross-Site Scripting (XSS) | 1.4 / 1.5 |
| Wp Fastest Cache | Local File Inclusion (LFI) | 0.8.5.9 |
| Wp Favorite Posts | Cross-Site Scripting (XSS) | 1.6.5 / 1.6.6 |
| Wp Fb Autoconnect | XSS/CSRF | 4.0.5 / 4.0.6 |
| Wp File Upload | Insufficient File Extension Blacklisting | 3.8.5 / 3.9.0 |
| Wp Filebase | wpfb-ajax.php base Parameter SQL… | 0.2.9 / n/a |
| Wp Filemanager | File Download | 1.3.0 / 1.4.0 |
| Wp Flash Player | Multiple Cross-Site Scripting (XSS) | 1.3 / n/a |
| Wp Flipslideshow | persistent cross-site scripting (XSS) | 2.0 / 2.2 |
| Wp Front End Profile | Privilege Escalation & Stored Cross-Site… | 0.2.1 / 0.2.2 |
| Wp Front End Repository | Arbitrary File Upload | 1.1 / n/a |
| Wp Google Fonts | Authenticated Reflected Cross-Site Scripting … | 3.1.3 / 3.1.4 |
| Wp Google Map Plugin | Authenticated Cross-Site Scripting (XSS) | 2.3.9 / 3.0.0 |
| Wp Google Maps | Authenticated Stored Cross-Site Scripting (XS… | 6.3.14 / 6.3.15 |
| Wp Handy Lightbox | remote code execution (RCE) | 1.4.5 |
| Wp Homepage Slideshow | arbitrary file upload | 2.0 / 2.3 |
| Wp Image News Slider | arbitrary file upload | 3.0 / 3.5 |
| Wp Instance Rename | Arbitrary File Download | 1.0 / n/a |
| Wp Invoice | Multiple Vulnerabilities | 4.1.0 / 4.1.1 |
| Wp Job Manager | Unauthenticated Reflected Cross-Site Scriptin… | 1.23.7 / 1.23.8 |
| Wp Levoslideshow | arbitrary file upload | 2.0 / 2.3 |
| Wp Limit Login Attempts | Unauthenticated SQL Injection | 2.0.0 / 2.0.1 |
| Wp Limit Posts Automatically | CSRF & XSS | 0.7 / n/a |
| Wp Link To Us | XSS in ZeroClipboard | 2.0 / n/a |
| Wp Listings | Unauthenticated Reflected Cross-Site Scripti… | 2.0.1 / 2.0.2 |
| Wp Live Chat Support | Stored Cross-Site Scripting (XSS) | 6.2.03 / 6.2.04 |
| Wp Maintenance Mode | Missing Settings Authorization | 2.0.6 / 2.0.7 |
| Wp Media Cleaner | Cross-Site Scripting (XSS) | 2.2.6 / n/a |
| Wp Membership | Multiple Vulnerabilities | 1.2.3 / n/a |
| Wp Menu Creator | SQL Injection | 1.1.7 / n/a |
| Wp Mobile Detector | Arbitrary File Upload | 3.5 / 3.6 |
| Wp Mobile Edition | Local File Inclusion (LFI) | 2.2.7 / 2.3 |
| Wp Mon | arbitrary file viewing | 0.5 / 0.5.1 |
| Wp Noexternallinks | Cross-Site Scripting (XSS) | 3.5.15 / 3.5.16 |
| Wp Online Store | arbitrary file viewing | 1.2.5 / 1.3.1 |
| Wp Page Widget | Authenticated Reflected Cross-Site Scripting (XSS) | 2.7 / 2.8 |
| Wp Photo Album Plus | Stored Cross-Site Scripting (XSS) | 6.1.2 / 6.1.3 |
| Wp Piwik | Unauthenticated Stored Cross-Site Scripting (XSS) | 1.0.10 |
| Wp Plotly | Authenticated Stored Cross-Site Scripting (XSS) | 1.0.2 / 1.0.3 |
| Wp Polls | Authenticated Reflected Cross-Site Scripting (XSS) | 2.73 / 2.73.1 |
| Wp Popup | remote code execution (RCE) | 2.0.0 / 2.1 |
| Wp Post Frontend | arbitrary file upload | 1.0 |
| Wp Print Friendly | Security Bypass | 0.5.2 / 0.5.3 |
| Wp Property | Non-administrative User XMLI Remote Informatio… | 1.38.3.2 / 1.38.4 |
| Wp Quick Booking Manager | persistent cross-site scripting (XSS) | 1.0 / 1.1 |
| Wp Recaptcha | Reflected XSS | 3.1.3 / 3.1.4 |
| Wp Rollback | Cross-Site Scripting (XSS) & CSRF | 1.2.2 / 1.2.3 |
| Wp Royal Gallery | persistent cross-site scripting (XSS) | 2.0 / 2.3 |
| Wp Rss Multi Importer | Blind SQL Injection & Cross-Site Scripti… | 3.15 / n/a |
| Wp Seo Spy Google | arbitrary file upload | 3.0 / 3.1 |
| Wp Shop Original | Unauthenticated Blind SQL Injection | 3.4.3.15 / 3.4.3.16 |
| Wp Shopping Cart | Arbitrary File Upload Exploit | 3.4 / n/a |
| Wp Simple Cart | arbitrary file upload | 0.9.0 / 1.0.15 |
| Wp Slimstat | Referer Header Cross-Site Scripting (XSS) | 4.1.5.2 / 4.1.6 |
| Wp Slimstat Ex | arbitrary file upload | 2.1 / 2.1.2 |
| Wp Smiley | CSRF & Cross-Site Scripting (XSS) | 1.4.1 / n/a |
| Wp Social Bookmarking Light | Authenticated Stored Cross-Site S… | 1.7.9 / 1.7.10 |
| Wp Social Invitations | test.php Multiple Parameter Reflected XSS | 1.4.4.2 / 1.4.4.3 |
| Wp Statistics | Referer Cross-Site Scripting (XSS) | 9.5.1 / 9.5.2 |
| Wp Stats | CSRF & Stored Cross-Site Scripting (XSS) | 2.51 / 2.52 |
| Wp Stats Dashboard | Authenticated Blind SQL Injection | 2.9.4 / n/a |
| Wp Super Cache | PHP Object Injection | 1.4.4 / 1.4.5 |
| Wp Superb Slideshow | arbitrary file upload | 2.0 / 2.4 |
| Wp Survey And Poll | Blind SQL Injection | 1.1.7 / 1.1.91 |
| Wp Survey And Quiz Tool | Cross Site Scripting | 2.9.2 / 2.9.3 |
| Wp Swimteam | Local File Inclusion | v1.44.10777 / 1.45 |
| Wp Symposium | Unauthenticated Reflected Cross-Site Scripting … | 15.8.1 / n/a |
| Wp Symposium Pro | Unspecified | 15.12 / 16.01 |
| Wp Table | (inc_dir) RFI | 1.43 / n/a |
| Wp Table Reloaded | zeroclipboard.swf id Parameter XSS | 1.9.3 / 1.9.4 |
| Wp Timed Popup | CSRF & Stored XSS | 1.3 / n/a |
| Wp Topbar | XSS in ZeroClipboard.swf | 3.04 / n/a |
| Wp Ultimate Csv Importer | Reflected Cross-Site Scripting (XSS) | 3.8.6 / 3.8.8 |
| Wp Ultimate Exporter | Unauthenticated SQL Injection | 1.1 / n/a |
| Wp User Frontend | Unrestricted File Upload | 2.3.10 / 2.3.11 |
| Wp Useronline | Stored Cross-Site Scripting (XSS) | 2.62 / 2.70 |
| Wp Vertical Gallery | arbitrary file upload | 2.0 / 2.3 |
| Wp Whois | Cross Site Scripting | 1.4.2 / n/a |
| Wp Yasslideshow | arbitrary file upload | 3.0 / 3.4 |
| Wp125 | Multiple XSS | 1.4.4 / 1.4.5 |
| Wp_rokbox | thumb.php src Parameter Malformed Input Path Disclosure | 2.13 / n/a |
| Wp_rokintroscroller | XSS,DoS,Disclosure,Upload Vulnerabilities | 1.8 / n/a |
| Wp_rokmicronews | XSS,DoS,Disclosure,Upload Vulnerabilities | 1.5 / n/a |
| Wp_roknewspager | XSS,DoS,Disclosure,Upload Vulnerabilities | 1.17 / n/a |
| Wp_rokstories | XSS,DoS,Disclosure,Upload Vulnerabilities | 1.25 / n/a |
| Wpbook | Cross-Site Request Forgery (CSRF) | 3.7 / 3.7.1 |
| Wpdatatables | SQL Injection | 1.5.3 / 1.5.4 |
| Wpdiscuz | Reflected Cross-Site Scripting (XSS) | 3.1.4 / 3.2.0 |
| Wpeasystats | local file inclusion (LFI) | 1.8 |
| Wpgform | Cross-Site Scripting (XSS) | 0.84 / 0.85 |
| Wplegalpages | Authenticated Stored Cross-Site Scripting (XSS) | 1.0.1 / 1.1 |
| Wpmarketplace | Arbitrary File Download | 2.4.0 / 2.4.1 |
| Wppygments | XSS in ZeroClipboard | 0.3.2 / n/a |
| Wpshop | arbitrary file upload | 1.3.1.6 / 1.3.9.5 |
| Wpsolr Search Engine | Unauthenticated Reflected Cross-Site Scripting (XSS) | 8.6 / 8.7 |
| Wpss | SQL Injection | 0.6 / n/a |
| Wpstorecart | arbitrary file upload | 2.0.0 / 2.5.29 |
| Wptf Image Gallery | arbitrary file viewing | 1.0.1 / 1.0.3 |
| Wptouch | Cross-Site Scripting (XSS) | 3.7.5.3 / 3.7.6 |
| Wr Contactform | Authenticated SQL Injection | 1.1.9 / 1.1.10 |
| Wsecure | Remote Code Execution (RCE) | 2.3 / 2.4 |
| Wti Like Post | Unauthenticated Blind SQL Injection | 1.4.2 / 1.4.3 |
| Wysija Newsletters | SQL Injection | 2.7.2 / 2.7.3 |
| X Forms Express | Stored Cross-Site Scripting (XSS) | 2.1.0 / n/a |
| Xcloner Backup And Restore | Multiple Vulnerabilities (RCE & LFI) | 3.1.1 / 3.1.2 |
| Xdata Toolkit | arbitrary file upload | 1.6 / 1.9 |
| Xerte Online | File Upload | 0.35 / 0.36 |
| Xpinner Lite | Cross-Site Scripting (XSS) & CSRF | 2.2 / n/a |
| Yawpp | Unauthenticated Stored Cross-Site Scripting (XSS) | 1.2.2 / n/a |
| Yet Another Stars Rating | Authenticated Blind SQL Injection | 0.9.0 / 0.9.1 |
| Yikes Inc Easy Mailchimp Extender | Local File Inclusion (LFI) | 6.0.5.5 / 6.1 |
| Yith Maintenance Mode | Authenticated Reflected Cross-Site Scri… | 1.1.4 / 1.2.0 |
| Yith Woocommerce Compare | Unauthenticated PHP Object injection | 2.0.9 / 2.1.0 |
| Yolink Search | includes/bulkcrawl.php Multiple Parameter SQL I… | 1.1.4 / n/a |
| Yop Poll | Reflected Cross-Site Scripting (XSS) | 5.7.3 / 5.7.4 |
| Yousaytoo Auto Publishing Plugin | Cross Site Scripting | 1.0 / n/a |
| Youtube Embed | Authenticated Stored Cross-Site Scripting (XSS) | 3.3.2 / 3.3.3 |
| Zedity | Cross-Site Scripting (XSS) | 2.5.0 / 2.5.1 |
| Zen Mobile App Native | Remote File Upload | 3.0 / n/a |
| Zero Spam | Unauthenticated Blind SQL Injection | 2.1.1 / 2.2.0 |
| Zingiri Web Shop | zing.inc.php page Parameter XSS | 2.4.0 / 2.4.2 |
| Zip Attachments | Arbitrary File Download | 1.1.4 / 1.5 |
| Zopim Live Chat | XSS in ZeroClipboard | 1.2.5 / 1.2.6 |
| Zotpress | SQL Injection | 4.4 / n/a |
Have your WordPress site been hacked?
Don't despair; it happens to the best of us. It's tough to give generic advice without having a look at your site, but if you can still login into your WP admin, we suggest installing the free Security Ninja plugin. It'll perform +40 tests on your site, and with the Core add-on, you can validate the integrity of your core files by comparing them to the secure, master copies stored on WordPress.org. It's an invaluable tool for any WordPress site!
Sources
The list of latest dangerous and vulnerable WordPress plugins is compiled from various sources including:
- WPScan Vulnerability Database
- Offensive Security’s Exploit Database Archive
- Vapid Labs
- CVE Details
- Plugin Vulnerabilities