snicco

Taking the pain out of enterprise WordPress development

WordPress plugin vulnerabilities

This archive contains the list of all security vulnerabilities in WordPress plugins that we (responsibly) disclosed.

Most of the vulnerabilities have been validated by:

  • GridPane
  • The InfoSec team of one of the largest enterprise WordPress hosts.
  • A fellow white-hat hacker with 20 years of experience working with Fortune 500 and government agencies.
  • Thomas Raef, CEO at wewatchyourwebsite.com

There are three reasons a vulnerability might be listed here:

  • The vendor has already fixed the vulnerability.
  • The vendor did not indicate any progress toward a resolution
  • The vendor stated that they did not consider our findings to be a
    security issue.

Search by vendor
Search by classification
Search everything

For vendors:
Potential patches were last evaluated on September 21, 2022.
If an issue has been fixed let us know through the comment form on the respective disclosure page.

Search vulnerabilities by vendor:

All In One WP Security (4) Blackhole for Bad Bots (2) BlogVault (1) Breakdance (1) Bricks (1) Cwicly (1) Google Authenticator (2) iThemes (3) Jetpack (2) Magic Login Pro (2) MalCare (1) miniOrange (7) Pantheon (1) Shield Security (3) SiteGround Security (5) Two-Factor (Plugin Contributors) (3) Two Factor Authentication (Updraft) (2) WordFence (3) WordFence Login Security (2) WP 2FA (4) WPMU Defender (6) WPRemote (1) WPUmbrella (1) XWP (1) Zero Spam for WordPress (1)

Search vulnerabilities by classification

Broken Authentication (15) Injection (4) Insufficient Cryptography (16) IP spoofing (24) Sensitive Data Exposure (16)