Vulnerable WordPress Themes & Plugins
Introduction :
The main reason why a WordPress website gets hacked is because of vulnerable plugins & themes. These vulnerable plugins or themes break the website, which makes it prone to hackers. A hacked website can cause severe issues like ransomware & data breaches, resulting in financial loss to the brand.
In this report, We have mentioned the vulnerable plugins & themes currently active as of August 2021. Each plugin or theme will have a Low, Medium, High, or Critical rating depending on the severity.
In the section below, we have mentioned the names of each plugin & theme that can cause significant issues to your website. Each plugin or theme includes the type of vulnerability, the version number if patched, and the severity rating.
Plugin: 1. rucy
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 2. WP-Backgrounds Lite
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 3. WP Security Question
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 4. Event Espresso 4 Decaf – Event Registration Event Ticketing
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 5. WordPress Photo Gallery – Image Gallery
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 6. Opal Estate
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 7. Sync to Etsy Marketplace from WooCommerce
- Vulnerability: RCSRF Bypass
- Patched in Version: 3.3.2
- Severity Score: Medium
The vulnerability is patched, so you should update to version 3.3.2.
Plugin: 8. RAYS Grid
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 9. Sell Media
- Vulnerability: CSRF Bypass
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 10. Simple eCommerce
- Vulnerability: Arbitrary File Upload
- Patched in Version: No known fix
- Severity Score: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 11. WP Courses LMS
- Vulnerability: Authenticated Stored XSS via Video Embed Code
- Patched in Version: 2.0.44
- Severity Score: Low
The vulnerability is patched, so you should update to version 2.0.44.
Plugin: WP Courses LMS
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 2.0.44
- Severity Score: High
The vulnerability is patched, so you should update to version 2.0.44.
Plugin: 12. CBX Bookmark & Favorite
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 1.6.9
- Severity Score: High
The vulnerability is patched, so you should update to version 1.6.9.
Plugin: 13. Afterpay Gateway for WooCommerce
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 3.2.1
- Severity Score: High
The vulnerability is patched, so you should update to version 3.2.1.
Plugin: 14. Amazon Auto Links
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 4.6.20
- Severity Score: High
The vulnerability is patched, so you should update to version 4.6.20.
Plugin: 15. Post Carousel
- Vulnerability: Unauthorised AJAX Calls
- Patched in Version: 2.3.5
- Severity Score: Medium
The vulnerability is patched, so you should update to version 2.3.5.
Errors on your WordPress website? Helpbot can help you fix any errors on your website. Visit our blog and learn more on How you can fix errors on your WordPress website also check out our services on WordPress maintenance & development.
Plugin: 16. Smash Balloon Social Post Feed
- Vulnerability: Unauthenticated Stored XSS
- Patched in Version: 2.19.2
- Severity Score: Critical
The vulnerability is patched, so you should update to version 2.19.2.
Plugin: 17. Stop User Enumeration
- Vulnerability: REST API Bypass
- Patched in Version: 1.3.9
- Severity Score: Medium
The vulnerability is patched, so you should update to version 1.3.9.
Plugin: 18. Language Bar Flags
- Vulnerability: CSRF to Stored XSS
- Patched in Version: No known fix
- Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 19. Email Artillery
- Vulnerability: CSRF to Stored XSS
- Patched in Version: No known fix
- Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: Email Artillery
- Vulnerability: Multiple Reflected Cross-Site Scripting
- Patched in Version: No known fix
- Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: Email Artillery
- Vulnerability: Multiple Authenticated SQL Injections
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: Email Artillery
- Vulnerability: Arbitrary File Upload
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 20. SEOPress 5.0.0
- Vulnerability: Authenticated Stored Cross-Site Scripting
- Patched in Version: 5.0.4
- Severity Score: Medium
The vulnerability is patched, so you should update to version 5.0.4.
Plugin: 21. SP Project & Document Manager
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 4.26
- Severity Score: High
The vulnerability is patched, so you should update to version 4.26.
Plugin: SP Project & Document Manager
- Vulnerability: Authenticated Shell Upload
- Patched in Version: 4.22
- Severity Score: Medium
The vulnerability is patched, so you should update to version 4.22.
Plugin: 22. WordPress Advanced Ticket System
- Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
- Patched in Version: 1.0.64
- Severity Score: Low
The vulnerability is patched, so you should update to version 1.0.64.
Plugin: 23. WPHEKA Request For Quote
- Vulnerability: CSRF Bypass
- Patched in Version: 1.3
- Severity Score: Medium
The vulnerability is patched, so you should update to version 1.3.
Plugin: 24. WAll 404 Redirect to Homepage
- Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
- Patched in Version: 2.1
- Severity Score: Low
The vulnerability is patched, so you should update to version 2.1.
Plugin: 25. Fileviewer
- Vulnerability: Arbitrary File Upload/Deletion via CSRF
- Patched in Version: No known fix
- Severity Score: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 26. Shopp eCommerce
- Vulnerability: Unauthenticated Arbitrary File Upload
- Patched in Version: No known fix
- Severity Score: Critical
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 27. MF Gig Calendar
- Vulnerability: Reflected Cross-Site Scripting (XSS)
- Patched in Version: No known fix
- Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 28. BuddyPress
- Vulnerability: Activation Key Disclosure
- Patched in Version: 9.1.1
- Severity Score: Medium
The vulnerability is patched, so you should update to version 9.1.1.
Plugin: BuddyPress
- Vulnerability: SQL Injections
- Patched in Version: 9.1.1
- Severity Score: High
The vulnerability is patched, so you should update to version 9.1.1.
Plugin: 29. Jock on air now
- Vulnerability: Authenticated Stored Cross-Site Scripting
- Patched in Version: 5.6.3
- Severity Score: Low
The vulnerability is patched, so you should update to version 5.6.3.
Plugin: Jock on air now
- Vulnerability: Arbitrary Plugin's Settings Update via CSRF
- Patched in Version: 5.6.2
- Severity Score: Medium
The vulnerability is patched, so you should update to version 5.6.2.
Plugin: Jock on air now
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 5.6.2
- Severity Score: High
The vulnerability is patched, so you should update to version 5.6.2.
Plugin: 30. ThinkTwit
- Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
- Patched in Version: 1.7.1
- Severity Score: Low
The vulnerability is patched, so you should update to version 1.7.1.
Plugin: 31. Shopping Cart & eCommerce Store
- Vulnerability: CSRF to Stored Cross-Site Scripting
- Patched in Version: No known fix
- Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 32. Gutenslider
- Vulnerability: Contributor+ Stored XSS
- Patched in Version: 5.2.0
- Severity Score: Medium
The vulnerability is patched, so you should update to version 5.2.0.
Plugin: 33. Visual Link Preview
- Vulnerability: Unauthorised AJAX Calls
- Patched in Version: 2.2.3
- Severity Score: Medium
The vulnerability is patched, so you should update to version 2.2.3.
Plugin: 34. Print My Blog
- Vulnerability: Plugin Deactivation via CSRF
- Patched in Version: 3.4.2
- Severity Score: Medium
The vulnerability is patched, so you should update to version 2.2.3.
Plugin: 35. Splash Header
- Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
- Patched in Version: 1.20.8
- Severity Score: Low
The vulnerability is patched, so you should update to version 1.20.8.
Plugin: 36. youForms for WordPress
- Vulnerability: Authenticated Stored Cross-Site Scripting
- Patched in Version: No known fix
- Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 37. Availability Calendar
- Vulnerability: Authenticated Stored Cross-Site Scripting
- Patched in Version: No known fix
- Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: Availability Calendar
- Vulnerability: Authenticated SQL Injection
- Patched in Version: No known fix
- Severity Score: High
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 38. WP Mapa Politico Espana
- Vulnerability: Authenticated Stored XSS
- Patched in Version: No known fix
- Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 39. Alojapro Widget
- Vulnerability: Authenticated Stored Cross-Sitea Scripting(XSS)
- Patched in Version: No known fix
- Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 40. You Shang
- Vulnerability: Authenticated Stored Cross-Site Scripting
- Patched in Version: No known fix
- Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 41. WP Dialog
- Vulnerability: Authenticated Stored Cross-Site Scripting
- Patched in Version: No known fix
- Severity Score: Low
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 42. Donate With QRCode
- Vulnerability: Subscriber+ Stored Cross-Site Scripting
- Patched in Version: No known fix
- Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
Plugin: 43. WP Mobile Menu
- Vulnerability: Reflected Cross-Site Scripting (XSS)
- Patched in Version: 2.8.2.3
- Severity Score: High
The vulnerability is patched, so you should update to version 2.8.2.3.
Plugin: 44. W3SCloud Contact Form 7 to Zoho CRM
- Vulnerability: Reflected Cross-Site Scripting (XSS)
- Patched in Version: 2.1.0
- Severity Score: High
The vulnerability is patched, so you should update to version 2.1.0.
Plugin: 45. Erident Custom Login and Dashboard
- Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
- Patched in Version: 3.5.9
- Severity Score: Low
The vulnerability is patched, so you should update to version 3.5.9.
Plugin: 46. WP Cerber Security
- Vulnerability: Rest-API Protection Bypass
- Patched in Version: 8.9.3
- Severity Score: Medium
The vulnerability is patched, so you should update to version 8.9.3.
Plugin: WP Cerber Security
- Vulnerability: 2FA Authentication Bypass
- Patched in Version: 8.9.3
- Severity Score: Medium
The vulnerability is patched, so you should update to version 8.9.3.
Plugin: 47. Flagallery Photo Portfolio
- Vulnerability: Full Path Disclosure
- Patched in Version: 4.25
- Severity Score: Medium
The vulnerability is patched, so you should update to version 4.25.
Plugin: 48. GRAND Flash Album Gallery
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 1.67
- Severity Score: High
The vulnerability is patched, so you should update to version 1.67.
Plugin: GRAND Flash Album Gallery 0.55
- Vulnerability: lib/hitcounter.php pid Parameter SQL Injection
- Patched in Version: 0.60
- Severity Score:
The vulnerability is patched, so you should update to version 0.60.
Plugin: GRAND Flash Album Gallery
- Vulnerability: Reflected Cross-Site Scripting via wp-admin/admin.php skin parameter
- Patched in Version: 1.76
- Severity Score: High
The vulnerability is patched, so you should update to version 1.76.
Plugin: GRAND Flash Album Gallery 1.9.0 & 2.0.0
- Vulnerability: Multiple Vulnerabilities
- Patched in Version: 2.10
- Severity Score: High
The vulnerability is patched, so you should update to version 2.10.
Plugin: 49. 2Way VideoCalls and Random Chat
- Vulnerability: Reflected Cross-Site Scripting
- Patched in Version: 5.2.8
- Severity Score: High
The vulnerability is patched, so you should update to version 5.2.8.
Conclusion :
If your WordPress website has any of these 49 vulnerable plugins, make sure you get it removed as soon as possible or update it to the secure version. Sometimes, it gets challenging to keep track of the plugins on your website. Tools like iThemes Security Pro can help you scan through your website to find any glitches or vulnerabilities. These tools will ensure your website stays safe and secure.