WordPress Vulnerabilities May 2019 Edition

It’s another good month for WordPress with just some minor maintenance updates but nothing for security. What does that tell you?

WordPress is extremely secure.

Indeed it has a great track record itself but sometimes people don’t make the best decision when it comes to plugins or themes. Pick a theme that’s not well updated or doesn’t have a great track record then you’re going to have issues eventually.

Now let’s get into some of the issues that WordPress plugins experienced the month of May in 2019.

WordPress Plugin Vulnerabilities

As is typical for WordPress, the plugin environment can introduce some issues into the environment. I’ve never heard of an ecosystem that hasn’t had some issues introduced from outside developers, though.

iOS? Yup, it has had issues with third party developers even.

Now to the WordPress plugin vulnerabilities.

W3 Total Cache

With an audience reach of 1+ million installs, this one is a potentially bad vulnerability. That’s especially true because there are three different vulnerabilities. If you haven’t done so already, update your W3 Total Cache installation to which fixes all three vulnerabilities.

You can see all the vulnerabilities on the WordPress Vulnerability Database:

Convert Plus

This one is a popular plugin that a lot of people are using, including a different version of the same plugin that we use! Good thing they’re on top of managing their plugins and patched it quickly.

Version 3.4.2 and lower are vulnerable to unauthenticated administrator creation and should be patched to version 3.4.3 or higher immediately. We ran across this issue posted on a blog post from Wordfence. The patch was out quite a while before the vulnerability was publicized, though.

Ninja Forms File Uploads Extension

Ninja Forms is a great plugin with a good record for fixing any vulnerabilities but that doesn’t mean they never happen. If you use the file upload extension for Ninja Forms then this is an exploit you must patch up for immediately.

The issues was fixed in version 3.0.23 so go out and update immediately. After you’ve updated, head over to check out what the issue was all about. Brief summary, it was an issue with being able to upload an unauthenticated file (aka a possible virus or malware).

WP Database Backup

This one is a pretty big deal but if you update to version 5.2 then you are protected as it was patched. Now for some words of wisdom from the Wordfence team which we love because they’re on top of this WordPress security stuff.

“…allowed unauthenticated attackers to modify the destination email address for database backups, potentially putting sensitive information in their hands” according to a Wordfence blog post. The problem was much bigger than that, though, as Wordfence laid out in that same blog post.

Slick Popup

This one is still out in the wild as of the time I’m writing this (May 29th, 2019) so if you’re one of the 7,000 people using it, get off now and don’t ever come back.

According to the Wordfence team, they alerted the plugin maker of the issues in April and gives them 30 days to release a fix. They didn’t which tells me they don’t take the plugin seriously nor are they actively maintaining it. Both of these are not good for the users at all and yo should jump off immediately even if they do release an update.

Now, as for more details of the issue, Wordfence put together a really good blog post with all the details that they disclosed to the developers. Your first step its to remove the plugin. Second step, read up on it if you’d like.

Event Management Tickets Booking By Event Monster

If you’re running this plugin, run out and update it immediately to version 1.0.6. That will make sure your WordPress website is secure.

A cross-site scripting issue isn’t one to be messed with and you don’t want to wait to update. Once you’re all updated, read about the issue.

Hostel Plugin

I don’t know about you but I hate it when I visit the admin section of a plugin and some injected Javascript executes. Well that’s what could happen on version 1.1.3 or possibly below.

You should update this plugin to 1.1.4 immediately so your site isn’t vulnerable to this issue. Oh, and after you’re updated then read more about it on WP Vulnerability Database.

Simple File List Plugin

Two pretty big issues with this one that allow the bad guys to traverse your directory structure to get to sensitive information. On top of that, another issue with file deletion.

Make sure you update your Simple File List Plugin to at least version 3.2.5 to get the security fixes to these vulnerabilities. After you do that then read about each of them on WP Vulnerability Database:

WP Booking System

This one was fixed in version 1.5.2. So, make sure you update and then read up on the SQL injection vulnerabilities on WP Vulnerabilities Database.


The fix is out now in version 4.8.1 so update right now. The issue allows arbitrary JavaScript code to be injected in the access log functionality according to information on the WP Vulnerabilities Database.

FV Flowplayer Video Player

This one is a threefer! You get three different vulnerabilities for the price of one, free! Thankfully they’ve all been patched by version

There’s the issue with CSV Export, SQL Injection (yikes!), and Unauthenticated Stored XSS all laid out by WP Vulnerabilities Database (the links!). Before you read too much about these issues, run out and update to the newest version.

Newsletter Manager

This plugin seems to have been shut down possibly because of this issue or maybe because it’s abandoned. In any case, because it’s not active it’s a good idea to just remove it completely if you have it.

You can read up more on the issue (not much there) from the WP Vulnerabilities Database.

WP Live Chat Support

50,000+ users on this plugin and the vulnerability is pretty brutal. You should update to version 8.0.27 immediately.

You can learn more about the cross-site scripting vulnerability on the Sucuri blog.

Register IPs

This one doesn’t affect very many people because the plugin is only installed in 3,000+ sites. No matter, upgrade to version 1.8.1 in order to fix the vulnerability on your website.

Once you do that, read up on the unauthenticated stored cross-site scripting vulnerability.

Ultimate Member

You get multiple vulnerabilities for free this month if you’re one of the 100,000+ user using Ultimate Member! No worries, though, as they have been patched already.

Update to version 2.0.46 to get the new patches and fixed up alright. The best part about this one is that they are on it for releasing a fix! You can read more about the issues and how quickly they patched them on the Sucuri blog.

Custom Field Suite

Update to version 2.5.15 immediately if you’re using the Custom Field Suite plugin. Another cross-site scripting vulnerability this time for authenticated users.

Once you’ve updated your WordPress installation then read up more about it on the WP Vulnerabilities Database website.

All-in-One Event Calendar

Yikes! Another cross-site scripting vulnerability this month. Upgrade to at least version 2.5.39 to fix the vulnerability and get back onto your safe feet.

After you do that then you can read up more on the issues on the WP Vulnerabilities Database.

Blog Designer

Upgrade to version 1.8.11 right away to make sure you’re protected from this unauthenticated stored cross-site scripting vulnerability. Then head over to the WP Vulnerabilities Database to learn more about it.

WordPress Theme Vulnerabilities

There aren’t a lot of issues in WordPress themes this month. Just one for the month of May that has been made public.


This travel booking WordPress theme has a major issue uncovered this month (May, 2019) that leaves it vulnerable to many issues.

Of course this one is from the Themeforest repository which seems to me to be a hotbed of out-of-date plugins and themes that may or may not have vulnerabilities. That is my personal opinion, though.

In any case, up to version 2.7.1 is vulnerable and if you’re on this theme you should disable it immediately until the issue is fixed. If it’s not fixed in a timely fashion then ditch it as soon as possible.

Once you have it disabled, read more about the issue.

WordPress Core Vulnerabilities

Another clean bill of health for WordPress during the month of May, 2019. Contrary to what many want to say, WordPress seems to be fine on the vulnerability front going since March without any issues uncovered.

The best part, if a vulnerability is uncovered it’s quick to be patched with so many developers who care.

As always, if you’re not closely monitoring your WordPress installation and watching for vulnerabilities, you should! Every website we manage with our WordPress maintenance service we check what’s in each update to make sure important patches are prioritized immediately.