snicco

Taking the pain out of enterprise WordPress development

WordPress plugin vulnerabilities

This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.

Most of the vulnerabilities have been validated by:

  • GridPane
  • The InfoSec team of one of the largest enterprise WordPress hosts.
  • A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
  • Thomas Raef, CEO at wewatchyourwebsite.com

There are three reasons a vulnerability might be listed here:

  • The vendor has already fixed the vulnerability.
  • The vendor did not indicate any progress toward a resolution
  • The vendor stated that they did not consider our findings to be a
    security issue.

Search by vendor
Search by classification
Search everything

For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.

  • Trivial comment spam bypass – (All in One WP security <= 5.0.7)

    The plugin relies on “.htaccess files” to block comment spam, which will not work on NGINX servers and can be trivially bypassed through header spoofing.

  • Bypass login page IP allowlist – (All in One WP Security <= 5.0.7)

    The plugin’s IP allowlist for the login page does not work on NGINX servers.

  • DOS through IP spoofing – (CleanTalk <= 5.184)

    The plugin is wide open to IP spoofing, which an attacker can exploit to permanently ban search engine crawlers, the site’s reverse proxy, or legitimate users locally and in CleanTalk’s remote WAF.

  • DDOS simulation through IP spoofing – (Sucuri Security <= 1.8.35)

    Affected plugin Sucuri Security Active installs 800,000+ Vulnerable version <= 1.8.35 Audited version 1.8.35 Fully patched version – Recommended remediation Never use the plugin without the remote WAF (premium) enabled Description The plugin is vulnerable to IP spoofing if the remote WAF is not enabled. Currently, the (free) plugin is mostly sending alerts and does…

  • Total site takeover through broken 2FA in combination with SQLi – (WPMU Defender <= 3.3.0)

    An attacker can compromise any site using the plugin’s 2FA functionality by logging in as any user with two-factor authentication configured. The precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Furthermore, the attacker needs to obtain a valid WordPress nonce which he can…

  • Compromise of 2FA secrets and emergency codes through read-only SQLi – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database.An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to…

  • Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can abuse…

  • DOS through IP spoofing – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin is vulnerable to IP spoofing, which an attacker can continuously exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users. Proof of concept The plugin…

  • Time-Based-Side-Channel-Attack on 2FA secrets – (iThemes Security <= 8.1.2)

    Affected plugin iThemes Security Active installs 1+ million Vulnerable version <= 8.1.2 Audited version 8.1.2 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can…

  • Compromise of 2FA secrets through read-only SQLi – (iThemes Security <= 8.1.2)

    Affected plugin iThemes Security Active installs 1+ million Vulnerable version <= 8.1.2 Audited version 8.1.2 Fully patched version – Recommended remediation Removal of the plugin Description The plugin stores users’ TOTP secrets in plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all…

  • DOS through IP spoofing – (iThemes Security <= 8.1.2)

    The plugin is wide open to IP spoofing which an attacker can use to exploit to ban search-engine crawlers, the site’s reverse proxy, or legitimate users.

Search vulnerabilities by vendor:

All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) Breakdance (1) Bricks (1) Cwicly (1) Google Authenticator (2) iThemes (3) Jetpack (2) Magic Login Pro (2) MalCare (1) miniOrange (7) Pantheon (1) Shield Security (3) SiteGround Security (5) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WPMU Defender (6) WPRemote (1) WPUmbrella (1) XWP (1) Zero Spam for WordPress (1)

Search vulnerabilities by classification

Broken Authentication (15) Injection (4) Insufficient Cryptography (16) IP spoofing (24) Sensitive Data Exposure (16)