WordPress Vulnerabilities July 2019 Edition

The month of July 2019 was a busy month for WordPress plugin vulnerabilities. There were approximately 30 vulnerabilities (I may have missed a few) in plugins and 1 in a theme that’s for sale on Theme Forest.

The best way to protect against plugin vulnerabilities is to use reputable plugins from developers who are active and even more important, keep your plugins up-to-date. If you don’t monitor your website regularly then you should use a good WordPress maintenance service that will always monitor your website for vulnerabilities.

WordPress Plugin Vulnerabilities

Yoast SEO

This vulnerability was fixed in version 11.6 and the plugin has 5+ million active installations. You can learn more about the issue here.

WP Statistics

This plugin has 500,000+ active installations and the vulnerability was patched in version 12.6.7. You can learn more here.

WPS Hide Login

This vulnerability was fixed in version 1.5.3 and the plugin has 400,000+ active installations. Learn more about the vulnerability here.

WP File Manager

This vulnerability was patched in version 5.2 and the plugin has 400,000+ active installations. You can learn more about it here.

Ocean Extra

The vulnerability was fixed in version 1.5.9 of the plugin and it has 400,000+ active installations. You can learn more about the issue here.

Photo Gallery

This vulnerability affects 300,000+ active installations and should be updated to version 1.5.31 immediately. You can learn more about the issue here.

Widget Logic

This plugin has 300,000+ active installations and the vulnerability was patched in version 5.10.3 which you can learn more about here.

Pirate Forms

This vulnerability affects 200,000+ active installations and has been fixed in verison 1.5.2. Learn more about the Pirate Forms vulnerability.

Ad Inserter

This plugin has 200,000+ installations and the vulnerability was fixed in version 2.4.20. You can learn more from the Wordfence blog.

Contact Form 7 Dynamic Text Extension

This plugin has 100,000+ active installations and the vulnerability has been fixed in version 2.0.3. Learn more here.

Email Subscribers & Newsletters

This issue has been resolved in version 4.1.8 and the plugin has 100,000+ active installations. You can learn more here.

Simple Membership

The plugin has a CSRF vulnerability that affects all 40,000+ active installations but has been fixed in version 3.8.5. You can see more details about the vulnerability here.

Advanced Contact Form 7 DB

This plugin has 40,000 active installations and the vulnerability was fixed in version 1.7.1. You can learn more about the vulnerability here.

FV Flowplayer Video Player

The issue was patched in version 7.3.19.727 of this plugin with 40,000+ active installations. You can learn more about it here.

Icegram

This vulnerability was patched in version 1.10.29 and the plugin has 40,000+ active installations. You can learn more about the vulnerability on the Sucuri blog.

Visitors Traffic Real Time Statistics

Some vulnerabilities for this plugin remain unfixed according to WP Vulnerabilities DB but some have been fixed in version 1.13. This plugin has 40,000+ active installations. You can learn more about the issue here and watch the developer notes of the plugin to see when all issues have been patched.

Blog2Social

A vulnerability in Blog2Social, a plugin with 30,000+ active installations, leaves users vulnerable up to but has been fixed in version 5.6.0. Learn more here.

One Click SSL

This issue was patched in version 1.4.7 and the plugin has 20,000+ active installations. You can learn more here.

WPS Limit Login

This vulnerability is patched in version 1.4.6 and the plugin currently has 10,000+ active installations. Learn more about it here.

Adaptive Images for WordPress

This plugin has 10,000+ active installations and the vulnerability was fixed in version 0.6.67. You can learn more here.

ND Shortcodes For Visual Composer

The vulnerability was fixed in version 5.9.1 and the plugin has 10,000+ active installations. You can learn more about the vulnerability on the NinTechNet blog.

Simple Mail Address Encoder

The issue was fixed in version 1.7 of the plugin and the plugin has 9,000+ active installations. Learn more about the vulnerability here.

Coming Soon Page and Maintenance Mode

This plugin has 7,000+ active installations and the vulnerability was fixed in version 1.8.0. You can learn more about the vulnerability here.

WPS Cleaner

With 5,000+ active installations, this vulnerability was patched in version 1.4.5. Learn more about it.

WPS Bidouille

This plugin has 4,000+ active installations and the issue has been resolved in version 1.12.4. You can learn more here.

Insert or Embed Articulate Content into WordPress

The vulnerability in this plugin was fixed in version 4.29991 and has 2,000+ active installations. You can learn more about it here.

Custom Simple RSS

This one only affects 1,000+ active installations and has been fixed in version 2.0.7. Learn more here.

WPS Child Themes Generator

This plugin has 1,000+ active installations and the vulnerability was patched in version 1.2. Learn more here.

School Management

This issue has been fixed in version 57.0 and has an unknown number of active installations as it is a CodeCanyon plugin but it has had 915 sales. Learn more here.

Hybrid Composer

This plugin is not on the WordPress plugin repository or any other repository, therefore, has no installation or sales numbers. The issue has been patched in version 1.4.7. You can learn more on the Sucuri blog.

WordPress Theme Vulnerabilities

Real Estate 7

The vulnerability in this theme is still not patched as of this writing (August 7, 2019) in version 2.9.0. You can find the official changelog on this website. This is a Themeforest theme (not surprised) and has been sold 7,194 times.

You can learn more about the vulnerability here.

Zoner – Real Estate

This vulnerability was patched in version 4.1.1 of the theme from the Theme Forest repository. It has not active installations available but has 1,596 sales. You can learn more about the vulnerability here.

WordPress Core Vulnerabilities

None. Yet again WordPress is extremely secure and the issue isn’t with WordPress itself. The biggest issue will always be using fringe plugins that aren’t maintained or are no longer developed.

The best solution for making sure your WordPress installation is always in good working order is to use reputable plugins and make sure you have a great WordPress maintenance service to keep things inline and reported to you.