This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.
Most of the vulnerabilities have been validated by:
- GridPane
- The InfoSec team of one of the largest enterprise WordPress hosts.
- A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
- Thomas Raef, CEO at wewatchyourwebsite.com
There are three reasons a vulnerability might be listed here:
- The vendor has already fixed the vulnerability.
- The vendor did not indicate any progress toward a resolution
- The vendor stated that they did not consider our findings to be a
security issue.
Search by vendor
Search by classification
Search everything
For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.
-
Total site takeover in combination with read-only SQLi – (WordFence Login Security <= 1.0.10)
An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.
-
DOS through IP spoofing – (Shield Security <= 16.1.6)
The plugin is vulnerable to IP spoofing, which an attacker can exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users.
-
Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence Login Security <= 1.0.11)
The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
-
Broken encryption allows 2FA bypass – (All in One WP Security <= 5.0.7)
The plugin employs a broken encryption scheme that allows an attacker to permanently bypass all 2FA checks under the condition that the target website was vulnerable at any point in time to one of the never-ending read-only SQL-Injections in any plugin, theme, or WordPress core.
-
DOS through IP spoofing – (All in One WP Security <= 5.0.7)
The plugin is wide open to IP spoofing, which an attacker can exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users. Alternatively, an attacker can bring down the entire MySQL server by flooding the database with the entire IPv4 range.
-
Trivial comment spam bypass – (All in One WP security <= 5.0.7)
The plugin relies on “.htaccess files” to block comment spam, which will not work on NGINX servers and can be trivially bypassed through header spoofing.
-
Bypass login page IP allowlist – (All in One WP Security <= 5.0.7)
The plugin’s IP allowlist for the login page does not work on NGINX servers.
-
DOS through IP spoofing – (CleanTalk <= 5.184)
The plugin is wide open to IP spoofing, which an attacker can exploit to permanently ban search engine crawlers, the site’s reverse proxy, or legitimate users locally and in CleanTalk’s remote WAF.
-
DDOS simulation through IP spoofing – (Sucuri Security <= 1.8.35)
Affected plugin Sucuri Security Active installs 800,000+ Vulnerable version <= 1.8.35 Audited version 1.8.35 Fully patched version – Recommended remediation Never use the plugin without the remote WAF (premium) enabled Description The plugin is vulnerable to IP spoofing if the remote WAF is not enabled. Currently, the (free) plugin is mostly sending alerts and does…
-
Total site takeover through broken 2FA in combination with SQLi – (WPMU Defender <= 3.3.0)
An attacker can compromise any site using the plugin’s 2FA functionality by logging in as any user with two-factor authentication configured. The precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Furthermore, the attacker needs to obtain a valid WordPress nonce which he can…
-
Compromise of 2FA secrets and emergency codes through read-only SQLi – (WPMU Defender <= 3.3.0)
Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database.An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to…
Search vulnerabilities by vendor:
All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) CleanTalk (1) Google Authenticator (2) iThemes (3) Jetpack (2) Limit Login Attempts Reloaded (1) Loginizer (1) Magic Login Pro (2) MalCare (1) miniOrange (7) SecuPress (1) Shield Security (3) SiteGround Security (5) Sucuri Security (1) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WP fail2ban (1) WPMU Defender (6) WPUmbrella (1) Zero Spam for WordPress (1)
Search vulnerabilities by classification
Broken Authentication (13) Insufficient Cryptography (16) IP spoofing (23) Sensitive Data Exposure (16)