The month of July 2019 was a busy month for WordPress plugin vulnerabilities. There were approximately 30 vulnerabilities (I may have missed a few) in plugins and 1 in a theme that’s for sale on Theme Forest.
The best way to protect against plugin vulnerabilities is to use reputable plugins from developers who are active and, even more important, keep your plugins up-to-date. If you don’t monitor your website regularly then you should use a good WordPress maintenance service that will always monitor your website for vulnerabilities.
WordPress Plugin Vulnerabilities
Yoast SEO
This vulnerability was fixed in version 11.6 and the plugin has 5+ million active installations. You can learn more about the issue here.
WP Statistics
This plugin has 500,000+ active installations and the vulnerability was patched in version 12.6.7. You can learn more here.
WPS Hide Login
This vulnerability was fixed in version 1.5.3 and the plugin has 400,000+ active installations. Learn more about the vulnerability here.
WP File Manager
This vulnerability was patched in version 5.2 and the plugin has 400,000+ active installations. You can learn more about it here.
Ocean Extra
The vulnerability was fixed in version 1.5.9 of the plugin, and it has 400,000+ active installations. You can learn more about the issue here.
Photo Gallery
This vulnerability affects 300,000+ active installations and should be updated to version 1.5.31 immediately. You can learn more about the issue here.
Widget Logic
This plugin has 300,000+ active installations and the vulnerability was patched in version 5.10.3 which you can learn more about here.
Pirate Forms
This vulnerability affects 200,000+ active installations and has been fixed in version 1.5.2. Learn more about the Pirate Forms vulnerability.
Ad Inserter
This plugin has 200,000+ installations and the vulnerability was fixed in version 2.4.20. You can learn more from the Wordfence blog.
Contact Form 7 Dynamic Text Extension
This plugin has 100,000+ active installations and the vulnerability has been fixed in version 2.0.3. Learn more here.
Email Subscribers & Newsletters
This issue has been resolved in version 4.1.8 and the plugin has 100,000+ active installations. You can learn more here.
Simple Membership
The plugin has a CSRF vulnerability that affects all 40,000+ active installations but has been fixed in version 3.8.5. You can see more details about the vulnerability here.
Advanced Contact Form 7 DB
This plugin has 40,000 active installations and the vulnerability was fixed in version 1.7.1. You can learn more about the vulnerability here.
FV Flowplayer Video Player
The issue was patched in version 7.3.19.727 of this plugin with 40,000+ active installations. You can learn more about it here.
Icegram
This vulnerability was patched in version 1.10.29 and the plugin has 40,000+ active installations. You can learn more about the vulnerability on the Sucuri blog.
Visitors Traffic Real Time Statistics
Some vulnerabilities for this plugin remain unfixed according to WP Vulnerabilities DB, but some have been fixed in version 1.13. This plugin has 40,000+ active installations. You can learn more about the issue here and watch the developer notes of the plugin to see when all issues have been patched.
Blog2Social
A vulnerability in Blog2Social, a plugin with 30,000+ active installations, leaves users vulnerable up to but has been fixed in version 5.6.0. Learn more here.
One Click SSL
This issue was patched in version 1.4.7 and the plugin has 20,000+ active installations. You can learn more here.
WPS Limit Login
This vulnerability is patched in version 1.4.6 and the plugin currently has 10,000+ active installations. Learn more about it here.
Adaptive Images for WordPress
This plugin has 10,000+ active installations and the vulnerability was fixed in version 0.6.67. You can learn more here.
ND Shortcodes For Visual Composer
The vulnerability was fixed in version 5.9.1 and the plugin has 10,000+ active installations. You can learn more about the vulnerability on the NinTechNet blog.
Simple Mail Address Encoder
The issue was fixed in version 1.7 of the plugin and the plugin has 9,000+ active installations. Learn more about the vulnerability here.
Coming Soon Page and Maintenance Mode
This plugin has 7,000+ active installations and the vulnerability was fixed in version 1.8.0. You can learn more about the vulnerability here.
WPS Cleaner
With 5,000+ active installations, this vulnerability was patched in version 1.4.5. Learn more about it.
WPS Bidouille
This plugin has 4,000+ active installations and the issue has been resolved in version 1.12.4. You can learn more here.
Insert or Embed Articulate Content into WordPress
The vulnerability in this plugin was fixed in version 4.29991 and has 2,000+ active installations. You can learn more about it here.
Custom Simple RSS
This one only affects 1,000+ active installations and has been fixed in version 2.0.7. Learn more here.
WPS Child Themes Generator
This plugin has 1,000+ active installations and the vulnerability was patched in version 1.2. Learn more here.
School Management
This issue has been fixed in version 57.0 and has an unknown number of active installations as it is a CodeCanyon plugin but it has had 915 sales. Learn more here.
Hybrid Composer
This plugin is not on the WordPress plugin repository or any other repository. Therefore, it has no installation or sales numbers. The issue has been patched in version 1.4.7. You can learn more on the Sucuri blog.
WordPress Theme Vulnerabilities
Real Estate 7
The vulnerability in this theme is still not patched as of this writing (August 7, 2019) in version 2.9.0. You can find the official changelog on this website. This is a Themeforest theme (not surprised) and has been sold 7,194 times.
You can learn more about the vulnerability here.
Zoner – Real Estate
This vulnerability was patched in version 4.1.1 of the theme from the Theme Forest repository. It has not active installations available but has 1,596 sales. You can learn more about the vulnerability here.
WordPress Core Vulnerabilities
None. Yet again WordPress is extremely secure, and the issue isn’t with WordPress itself. The biggest issue will always be using fringe plugins that aren’t maintained or are no longer developed.
The best solution for making sure your WordPress installation is always in good working order is to use reputable plugins and make sure you have a great WordPress maintenance service to keep things inline and reported to you.