20 Unpatched WordPress Plugins Have Security Flaws

 

The blog link below tested 1000 wordpress plugins and found 103 vulnerable plugins.

and some of those have not been patched (I am listing the 20 NOT PATCHED plugins below).

http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html

I have alphabetized the listing – and started doing some manual checks on versions at wordpress.org plugin listings.

I cant find the first one (Add Link to Facebook) and the

Theme Test Drive is now at ver 2.9.1  (so is that a fix?)

 

So unfortunately blog.cinu.pl may be obsolete in its listing… be aware of this!

(small problem when testing 1000 plugins with automated scripts)

The only image I can think is the following (that is appropriate):

wordpressbullets

 

Here are the 20 unpatched plugins  all NOT PATCHED:    (updated the text sorting of the 20 plugins – listing plugin first now removed NOT PATCHED from all of the line.. – 11/24/15 )

  • Add Link to Facebook 2.2.7 Cross-Site Scripting (XSS) in  [original report – Thu, 13 Aug 2015]
  • Contact Form Manager 1.4.1   Cross-Site Scripting (XSS) in  [original report – Mon, 24 Aug 2015]
  • Email newsletter 20.13.6   Cross Site Scripting (XSS) in  [original report – Mon, 10 Aug 2015]
  • GoCodes 1.3.5   SQL injection and Cross-Site Scripting (XSS) in  [original report – Tue, 25 Aug 2015]
  • Huge IT Google Map 2.2.5   SQL injection in  [original report – Wed, 8 Jul 2015]
  • JW Player 6 Plugin for WordPress 2.1.14 Cross-Site Scripting (XSS) in  [original report – Wed, 19 Aug 2015]
  • My Page Order 4.3   Cross-Site Scripting (XSS) in  [original report – Thu, 13 Aug 2015]
  • My Category Order 4.3 Cross-Site Scripting (XSS) in  [original report – Thu, 13 Aug 2015]
  • My Link Order 4.3 Cross-Site Scripting (XSS) in  [original report – Thu, 13 Aug 2015] 
  • Plugin Central 2.5    Cross-Site Scripting (XSS) in  [original report – Tue, 25 Aug 2015]
  • SEO Rank Reporter 2.2.2   Cross-Site Scripting (XSS) in  [original report – Mon, 24 Aug 2015]
  • SEO SearchTerms Tagging 2 1.535   Blind SQL injection and XSS in [original report – Wed, 8 Jul 2015]
  • Social Share Button 2.1  –Persistent Cross-Site Scripting (XSS) in [original report – Tue, 25 Aug 2015]
  • Theme Test Drive 2.9  Arbitrary file upload and Reflected Cross-Site Scripting (XSS) [original report – Thu, 20 Aug 2015]
  • Websimon Tables 1.3.4   Cross-Site Scripting (XSS) in [original report – Fri, 21 Aug 2015]
  • WordPress Meta Robots 2.1   Blind SQL injection in  [original report – Tue, 25 Aug 2015]
  • WP Keyword Link 1.7   Persistent Cross-Site Scripting (XSS) in  [original report – Mon, 24 Aug 2015]
  • WP RSS Multi Importer 3.15 Blind SQL injection and Reflected XSS in  [original report – Wed, 8 Jul 2015]
  • WP-Stats-Dashboard 2.9.4   SQL injection in  [original report – Tue, 25 Aug 2015]
  • WP Widget Cache 0.26  Cross-Site Scripting (XSS) in [original report – Tue, 25 Aug 2015]

 

 

 

 

This is a terrible programming methodology – i.e. no security testing after or during development.

It is not unlike revslider plugin problems in the recent past:

hackingwordpressviarevslider

 

 

 

what happens now is that thousands of WordPress websites are unknowningly going to be hacked and attacked by criminals:

evgeniybogachevfbimostwanted

 

Evgeniy Bogachev is one  of these criminals that may still be out there and creating a larger criminal organization.

 

You also need to read this article from Kaspersky Lab report SecureLIST blog:

https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/

{ According to Kaspersky Lab, between 2012 and 2015, law enforcement agencies from a number of different countries, including the United States, Russia, Belarus, Ukraine and the EU arrested over 160 Russian-speaking cybercriminals who were members of small, medium-sized and large criminal groups. They were all suspected of being engaged in stealing money using malware. The total damage resulting from their worldwide activity exceeded $790 million dollars. }

cybercrime_underground_eng_7-1024x1024Kasperskylab

This is also important: there are 5 groups of about 10-40 people that comprise criminal groups which develop attacks into our networks and financial institutions.

As I have mentioned in my past blogposts – the criminals in eastern Europe are trying to hire people with lucrative job offers since the jobs are relatively cheap in Eastern Europe (Ukraine median income is in the $180/month.)  All they have to do is hire at 2x to 3x median wages and still profit with only 3 or 4 ransomware attacks.

http://oversitesentry.com/are-you-afraid-of-malware-ads/

 

We are fighting an uphill battle – especially since some of us are not fighting – defending in an organized manner

 

Get organized – contact Us

 

 

1 thought on “20 Unpatched WordPress Plugins Have Security Flaws”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.