???? Introduction I've been making php static code analysis tool for a while and few months ago I ran it against ~1000 (more or less) top wordpress plugins. Scanning results were manually verified in my spare time and delivered to official plugins@wordpress.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository. ???? Results 103 plugins vulnerable with more than 4.000.000 active installations in total (~30.000.000 downloads) List of reported plugins (original reports contain verification/reproduce sections and urls to plugin wordpress repository entries, where you can also verify changelog) : Cross-Site Scripting (XSS) in Duplicator 0.5.24 [original report - Sat, 15 Aug 2015] Cross-Site Scripting (XSS) in All In One WP Security 3.9.7 [original report - Thu, 13 Aug 2015] Cross-Site Scripting (XSS) in AddThis 5.0.12 [original report - Tue, 11 Aug 2015] Cross-Site Scripting (XSS) in Display Widgets 2.03 [original report - Tue, 11 Aug 2015] Blind SQL injection in Pretty Link Lite 1.6.7 [original report - Wed, 8 Jul 2015] Blind SQL injection in WP Statistics
Share This