WordPress plugin vulnerabilities


This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.

Most of the vulnerabilities have been validated by:

  • GridPane
  • The InfoSec team of one of the largest enterprise WordPress hosts.
  • A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
  • Thomas Raef, CEO at wewatchyourwebsite.com

There are three reasons a vulnerability might be listed here:

  • The vendor has already fixed the vulnerability.
  • The vendor did not indicate any progress toward a resolution
  • The vendor stated that they did not consider our findings to be a
    security issue.

Search by vendor
Search by classification
Search everything

For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.

  • Remote Code Execution – Cwicly <= 1.4.0.2

    Affected plugin Cwicly Active installs Not available – Commercial Vulnerable version <= 1.4.0.2 Audited version 1.4.0.2 Fully patched version 1.4.0.3 Recommended remediation Upgrade immediately to version 1.4.0.3 or higher. Description The Cwicly page builder is vulnerable to remote code execution (RCE) in versions <= 1.4.0.2, which means that an attacker can run arbitrary code/system commands…

  • Unauthenticated Remote Code Execution – Bricks <= 1.9.6

    Affected plugin Bricks Builder Active installs Commercial ~ 25000 Vulnerable version <= 1.9.6 Audited version 1.9.6 Fully patched version 1.9.6.1 Recommended remediation Upgrade immediately to version to 1.9.6.1 or higher Description Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server.…

  • Audit Log Tampering through IP spoofing – Stream <= 3.9.3

    Affected plugin Stream Active installs 80,000+ Vulnerable version <= 3.9.3 Audited version 3.9.3 Fully patched version 4.0.0 Recommended remediation Upgrade to version 4.0.0 or higher. Description The plugin, utilized for audit and security logging, exhibits a vulnerability whereby malicious actors can easily spoof IP addresses. This is less than ideal, given the plugin’s widespread use…

  • SSO Enforcement Bypass – WP SAML Auth 2.1.3

    Affected plugin WP SAML Auth Active installs 5,000+ Vulnerable version <= 2.1.3 Audited version 2.1.3 Fully patched version 2.1.4 Recommended remediation Upgrade the plugin to 2.1.4 Description The WP SAML Auth plugin allows enforcing that all users must log in via the configured SAML IDP rather than the standard WordPress login. This can be bypassed…

  • Possible site takeover through stolen API credentials in combination with SQLi – (MalCare <= 5.09)

    Affected plugin MalCare Active installs 300,000+ Vulnerable version <= 5.0.9 Audited version 4.97 / 5.0.9 Fully patched version 5.16 Recommended remediation Removal of the plugin Description MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites. Requests are authentication by comparing a shared secret stored as plaintext in the…

  • Possible site takeover through stolen API credentials in combination with SQLi – (BlogVault <= 5.09)

    Affected plugin BlogVault Active installs 100,000+ Vulnerable version <= 5.09 Audited version 5.09 Fully patched version 5.16 Recommended remediation Removal of the plugin Description This vulnerability is identical to this one in MalCare because MalCare and Blogout share 99% of their codebase. Proof of concept Refer to this POC and use “bvbackup” in step 4.…

  • Possible site takeover through stolen API credentials in combination with SQLi – (WPRemote <= 5.09)

    Affected plugin WPRemote Active installs 20,000+ Vulnerable version <= 5.09 Audited version 5.09 Fully patched version 5.16 Recommended remediation Removal of the plugin Description This vulnerability is identical to this one in MalCare because MalCare and WPRemote share 99% of their codebase. Proof of concept Refer to this POC and use “wpremote” in step 4.…

  • Possible site takeover through stolen API credentials in combination with SQLi – (WPUmbrella <= 2.10.0)

    WPUmbrella’s remote application uses a local companion plugin to perform its functionality. The communication between the remote WPUmbrella application and the WordPress site is secured using a shared secret stored as plaintext in the WordPress options table. An attacker that can read the plaintext value can fully impersonate WPUmbrella’s remote application and perform all actions,…

  • Encryption key is stored in version control – (WPMU Defender – 3.3.2)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.2 Audited version 3.3.2 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin uses symmetric encryption before storing users’ TOTP secrets in the database. However, the encryption key is stored in version control and…

  • TOTP Secrets stored as plaintext in a world-readable file – (WPMU Defender 3.3.1)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.1 Audited version 3.3.1 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin stores TOTP secrets as plaintext in a file inside the WordPress uploads directory. On the overwhelming amount of WordPress web server…

  • Total site takeover in combination with read-only SQLi – (WordFence <= 7.6.1)

    An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.