Blog: Vulnerable WordPress Plugins Report for the Week of June 28, 2019

Vulnerable Plugins

There are thirty four issues this week, with four unfixed.  The most critical this week is an unfixed Arbitrary Password Reset vulnerability with the Ultimate Members plugin.  Since this is a premium plugin, I do not have access to the source to verify.  According to the disclosure, the vendor has stated the fix will be included in version 2.4 some time in September.  If you use this plugin, I encourage you to ask the vendor about this closure and when a fix will be released as this is a critical vulnerability. In addition, there is a Cross-Site Request Forgery to Remote Code Execution vulnerability in  Widget Logic (fixed as of version 5.10.2), and a Cross-Site Request Forgery to Settings Update vulnerability in the same plugin that is unfixed as of this posting.  Last, an Unauthorized Settings Update (fix available) in Block WP Login that allows an attacker to disable the protection offered by the plugin.

View this week’s vulnerable plugins list.

Other Security News

Wanted to just quickly mention that Wordfence has a great interview with Ryan Dewurst who has contributed greatly to the wpscan tool, as well as being the maintainer of the wpvulndb.com database.  Definitely check it out.

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Leave a Reply

Your email address will not be published. Required fields are marked *