This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.
Most of the vulnerabilities have been validated by:
- GridPane
- The InfoSec team of one of the largest enterprise WordPress hosts.
- A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
- Thomas Raef, CEO at wewatchyourwebsite.com
There are three reasons a vulnerability might be listed here:
- The vendor has already fixed the vulnerability.
- The vendor did not indicate any progress toward a resolution
- The vendor stated that they did not consider our findings to be a
security issue.
Search by vendor
Search by classification
Search everything
For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.
-
DOS and allowlist bypass through IP spoofing – (SiteGround Security <= 1.3.0 )
The plugin is vulnerable to IP spoofing which an attacker can abuse the perform a DOS attack on the target site by preventing legitimate users, or the site’s reverse proxy from making requests to the wp-login endpoint. Alternatively, an attacker can spoof his IP address to bypass all rate-limit restrictions.
-
DOS through IP spoofing – (SiteGuard <= 1.6.1)
An attacker can exploit an IP spoofing vulnerability in the plugin to ban arbitrary users or the site’s reverse proxies.
-
DOS through IP spoofing – (Loginizer <= 1.7.3)
An attacker can ban arbitrary IP addresses on the target side by spoofing HTTP headers. This can be exploited to ban search-engine crawlers, the site’s reverse proxy, or legitimate users.
-
DOS through IP spoofing – (Limit Login Attempts Reloaded <= 2.25.5)
An attacker can exploit this to ban legitimate users or the site’s own reverse proxy from making requests to the wp-login endpoint which prevents anybody from logging into the site.
-
DOS through IP spoofing – (WP fail2ban <= 4.4.0.6)
The plugin is vulnerable to IP spoofing if the user makes use of the trusted proxies functionality in the plugin. An attacker can exploit this by banning search engine crawlers, the site’s reverse proxy, or legitimate users at the fail2ban level.
-
DOS through IP spoofing – (SecuPress <= 2.2.2)
The plugin uses the current IP address to rate-limit and/or ban users based on their IP address. However, the implementation is vulnerable to IP spoofing, so an attacker can ban arbitrary IP addresses. This can be exploited by banning search engine crawlers, the site’s reverse proxy, or legitimate users.
-
DOS through IP spoofing – (Magic Login Pro <= 1.4.1)
The plugin uses the current IP address to rate limit login requests. The implementation is vulnerable to IP spoofing, which an attacker can use to ban arbitrary users or the site’s reverse proxy from accessing the login page.
-
Site takeover by stealing login tokens – (Magic Login Pro < 1.4.1)
The plugin stores login tokens as plain text in the “wp_usermeta” table, which is equally as dangerous as storing passwords in plaintext since anybody with access to the login token can authenticate himself as the target user.
-
Exposure of encryption secrets in world-readable .txt file (WP 2FA <= 2.3.0)
The plugin will, under certain conditions, log all users’ 2FA secrets to a world-readable .txt file in the “wp-uploads” directory.
-
Time-Based-Side-Channel-Attack on secrets – WP 2FA <= 2.3.0
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests can abuse this to reverse secrets using time-based-side-channel attacks.
-
Broken authentication leads to total site takeover in combination with read-only SQLi – (WP 2FA <= 2.2.1)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing his primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
Search vulnerabilities by vendor:
All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) Breakdance (1) Bricks (1) Cwicly (1) Google Authenticator (2) iThemes (3) Jetpack (2) Magic Login Pro (2) MalCare (1) miniOrange (7) Pantheon (1) Shield Security (3) SiteGround Security (5) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WPMU Defender (6) WPRemote (1) WPUmbrella (1) XWP (1) Zero Spam for WordPress (1)
Search vulnerabilities by classification
Broken Authentication (15) Injection (4) Insufficient Cryptography (16) IP spoofing (24) Sensitive Data Exposure (16)