There have been several reports of WordPress plugin vulnerabilities. On June 12, 2012, I did some research on plugins reported to have security issues and if they have been fixed or removed from the WordPress.org plugin repository.
Security Tip: To help keep your WordPress blog secure, I recommend the following:
If a plugin security fix is available, please update the plugin(s) immediately.
If a plugin as been removed from the WordPress plugin repository and a security fix is not yet available, delete the plugin(s) until an update is available.
WP GPX Maps Plugin
Risk in version 1.1.21 – arbitrary file upload vulnerability (reported on June 11, 2012)
Security Fix available in version 1.1.23 (released on June 11, 2012)
View Changelog
WP User Meta Plugin
Risk in version 1.1.1 – arbitrary file upload vulnerability (reported on June 11, 2012)
Removed from WordPress.org
View Trac – developer made an update on June 12, 2012
Top Quark Architecture Plugin
Risk in version 2.1.0 – arbitrary file upload vulnerability (reported on June 11, 2012)
Security Fix available in version 2.1.1 (released on June 11, 2012)
View Changelog
WordPress SfBrowser Plugin
Risk in version 1.4.5 – arbitrary file upload vulnerability (reported on June 11, 2012)
Removed from WordPress.org
View Trac – last update April 8, 2011
PICA Photo Gallery Plugin
Risk in version 1.0 – arbitrary file upload vulnerability (reported on June 11, 2012)
Removed from WordPress.org
View Trac – last update December 7, 2011
MAC Photo Gallery Plugin
Risk in version 2.7 – arbitrary file upload vulnerability (reported on June 11, 2012)
Removed from WordPress.org
View Trac – developer made an update on June 12, 2012
Custom Content Type Manager Plugin
Risk in version 0.9.5.13-pl – arbitrary file upload vulnerability (reported on June 11, 2012)
Removed from WordPress.org
View Trac – developer made an update on June 11, 2012
UPDATES 06/12/2012 AT 2PM cst
WordPress HD FLV Player Plugin
Risk in version 1.7 – arbitrary file upload vulnerability (reported on June 12, 2012)
Not found on WordPress.org
View Trac – last update on December 12, 2012
WordPress wpStoreCart Plugin
Risk in version 2.5.27 – 2.5.29 – arbitrary file upload vulnerability (reported on June 08, 2012)
Removed from WordPress.org
View Trac – developer made an update on June 09, 2012
Note: The developer uploaded version 2.5.30 and it was listed at the repository, but then removed again.
Tinymce Thumbnail Gallery Plugin
Risk in version 1.0.7 – remote file disclosure vulnerability (reported on June 08, 2012)
Security Fix available in version v1.1.0 (released on June 12, 2012)
View Changelog
Thinkun Remind Plugin
Risk in version 1.1.3 – remote file disclosure vulnerability (reported on June 08, 2012)
Removed from WordPress.org
View Trac – last update 12/12/2011
Simple Download Button Shortcode Plugin
Risk in version 1.0 – remote file disclosure vulnerability (reported on June 08, 2012)
Removed from WordPress.org
View Trac – last update 02/17/2012
RBX Gallery Plugin
Risk in version 2.1 – arbitrary file upload vulnerability (reported on June 08, 2012)
Removed from WordPress.org
View Trac – last update 05/28/2012
WordPress Auctions Plugin
Risk in version 2.0.1.3 – arbitrary file upload vulnerability (reported on June 12, 2012)
SiteMile Premium Plugin – Security Fix available in version 2.0.2 (released on June 12, 2012)
Note: I contacted the developer and within minutes I received an update that this issue has been resolved 🙂
LEAVE YOUR FEEDBACK
If you have found a plugin that has been removed from the WordPress.org repository, please let us know. Leave your comment below.
Thanks much for the update on WordPress plug-ins that we need to check to make sure we aren’t using them. I would certainly never know to do this if it weren’t for your good updates.
Aw thanks MaryJo. I appreciate that.
I get so tangled up in this stuff that hours and hours go by. I have spent about 4 hours working on this post. Whew!
Thanks for the heads up… 🙂
What plugin(s) do you recommend to get some of the comments under control?
I have Bad Behavior in place, but still get them, although they have to be moderated.
Is there anything I should add or instead of that might work better?
Thanks again, Regina… you do a great job keeping us informed!
Hey Christine,
Thanks for stopping by again 🙂
Oh those lil’ bugger spambots! I wrote a guest post on Kurt Scholle’s site that might help you – http://website-roi-guy.com/419/tips-to-combat-comment-spam-for-wordpress/.
And I have settings in my .htaccess file that help with spambots too. I’m going to be creating a product on it soon. Be sure to be on my mailing list so you know when it’s ready.
Thank you, Regina! I don’t have any that you listed so far and will be checking later on. I’ve never used the repository before, do I just type in the name of the plugin and do a search and if it doesn’t come up–then should I “assume” it has been removed? Or am I looking for certain wording? I apologize if this seems “elementary”.
I also appreciate all that you do to let us know about these issues! 🙂
Hi Sheri,
That’s a great question and not elementary at all. Sometimes it’s hard to find the plugins on WordPress.org because sometimes the names don’t match what we see in our Dashboards or they’ve changed the names after a plugin has been added.
The easiest way to do it is this:
I hope that makes sense. If not, please let me know.
Regina…
Does this need to be done one plug in at a time? 🙁
Also… is it a good idea to keep this list to AVOID installing some of these in the future?
And if so, which ones?
Christine,
Yes, you have to do it one plugin at a time. Create a report for yourself with the links to each and check them monthly to see if they’re still listed on wordpress.org and how long since it’s been updated.
As far as avoiding them in the future, WordPress checks them to make sure they meet their security and coding standards before they’re added or re-listed on their site. But when a plugin becomes an oldy-moldy (hasn’t been updated in over 9 months+) you should start considering finding a more supported plugin. Supported = developer answers questions on the forum, updates are done, etc.
Thank you for these tips. I’m new to WordPress. What is a good security plugin to further protect my WP site?
Hi Julie,
I appreciate you stopping by and leaving your comment. A good security tip is not to have too many plugins, delete unused plugins and unused themes (but keep at least one that comes with WordPress, i.e. twentyeleven or twentyten.
I am currently updating my 7 Plugins for WordPress Security report this week and hope to send it out to all that subscribed to my form in the top right sidebar. In the meantime, I would start with installing these plugins: Timthumb Vulnerability Scanner and Better WP Security (caution when selecting your security settings, some settings could break your site).
Be sure to subscribe to my newsletter below so you can get my new report and emails of important security issues by checking the box below.
Hi, Regina:
We could read your sentence about Better WP Security two ways. I just want to make sure I understand correctly. Are you saying we should check off ALL the settings? I think that’s what you mean, but I thought I’d better have you clarify for us.
Thanks!
Hi Debbie,
Sorry it was not more clear. I am saying to be careful and not check all settings or it could break your site. For example, I tried changing the “Content Director” and it broke my site. That setting is really touchy. If you check “System Tweaks” it shows some warnings on things that could break your site. I’ll update my comment above as well 🙂
Thanks for your comment.
HI, Regina:
I’m so glad I asked. Your explanation is the other way to read the sentence. Naturally, I read it the wrong way. LOL
Thanks so much for the clarification. Think I’d better stay away from that plugin since I’m not at all tech-savvy. Any other security plugins that aren’t as “sensitive?”
Hi Debbie,
No problem at all. I’m putting together a second-edition of my WordPress Security plugins report. Be sure you’re signup for my newsletter so you can get a free copy.
Hi Julie,
You might also be interested in the WordPress Security Checklist I wrote to help non-technical people secure their sites…
It’s free and you can get it from http://www.wpsecuritychecklist.com.
Regina,
Thanks for making this list…. I’ve referenced this post on my site…
Hi Anders,
Thanks for helping out Julie. FYI: I registered for your checklist and still waiting on the verification email. I look forward to reading it.
I registered… and got a couple errors doing so (but think that was my browser settings)…
But, email was verified, but never got my download.
I would be interested if anyone got theirs.
Thanks!
Christine
Hi Christine,
Are you talking about the checklist or my report?
FYI: I’m writing Revision 2 this week and will be sending it out this weekend to everyone on my list.
For the WordPress Security Checklist you don’t actually have to subscribe… just click on the download link on the right hand side…
A bit atypical I know 🙂
OK, got it this time… thanks!
I was looking for the checklist… and it wouldn’t download, so assumed I had to subscribe.
So, I did, but never received…
It wasn’t clear that you didn’t have to register… when I clicked on the front page download link, it took me to another page with a sign up form.
I wanted your report too, Regina… realized I was already subscribed… so I will wait for your new one… and unsubscribe my other email (did that so I could get it). 🙂
Thanks!
Christine
Thanks for the feedback… had another look at the page and completely understand… so I’ve modified the text to make it clear that you do not have to subscribe… hopefully it’s clearer now…
Hey Anders,
Thanks for the WP Security Checklist. It sure is great to have people like you and Regina out there helping non- techs like myself.
Hi Anders, the link goes to a broken link on CloudFlare.
Hi Angela,
Thanks for the heads up… seems to be working now, so must have been a temporary glitch…
Thank you so much Regina! I just downloaded your 7Plugins ebook and found it very helpful.
I really appreciate it.
Good day:
Thank you for sharing the various plugins which need to be addressed.
I recently wrote a review on WordFence Security at http://www.dynamicnet.net/2012/06/wordfence-security-plugin/
WordFence does alert you to out of date plugins as well as scan your site for issues of compromise.
Thank you.
Hi Peter,
You’re welcome! Thanks for the link to your review. I read it, downloaded it and am testing it now. PRETTY COOL so far 🙂
Hello Regina,
Great article and first one of its sorts that I have found on this plugin issue. Yesterday my site went really wonky and I am still trying to fix it. For example Jetpack had me logged out and wants me to recofigure and I use the ‘SEO Ultimate’ plugin using their ‘link masks’ feature. For some reason ALL of my link asks were deleted and I cannot figure out why.
Hi Corey,
I’m glad I was able to help. There are more plugins that I need to post, but still trying to keep up with comments and emails 😉
Re: Your site that does sound wonky. I’ve only briefly checked out Jetpack and SEO Ultimate plugins. Did you just upgrade them? Maybe you deleted your cache/cookies and that’s why you needed to reconfig. When I use backupbuddy, for example, I logout after I set it up but it still keeps my settings. Hope you find a way to get your links back. That’s no fun!
For SEO, I use WordPress SEO by Joost de Valk. He’s been adding some really cool features to it lately like Google plus authorship. I use Pretty Link Pro for my masking and love the tracking feature.
Hi Regina!
Thank you for this very helpful list of vulnerable plugins – I installed a “free directory plugin” not too long ago ( I do not recall which one) and while I was working on the site, it was hacked! Geeez!
Where does one go to report suspicious plugins?
I suppose a good place would be to let you know because you can spread the word quickly!
Thanks for all your research.
Terry
Hi Terry,
I’m glad to help. If you ever find a suspicious plugin, email support[at]wordpress.org right away so they can look into it. They usually respond back within a few hours. And of course, let me know.
I usually recommend that people only install plugins that are popular and well supported. Plugins are a dime a dozen and leave your site vulnerable. The fewer plugins, the better, both for performance and security. I use only a handful of plugins regularly that are well supported, meaning, they are frequently updated rather than languishing. I think WordPress.org should have a policy about removing plugins from the repository that haven’t been updated in more than 9 or 12 months. Some don’t “require” updating, but I think most do and should be evaluated every 6 months.
Hi Angela,
That is sound advise! I personally do monthly plugin audits for my own sites and clients. WordPress.org is a big place with many plugins. I hear what you’re saying about them being evaluated, but that would be a huge task. We are all responsible for what we put on our websites and should make it our duty to check what’s being “served.” Imagine if every WordPress users checked their own plugins and themes on a regular basis how much safer sites would be.
Me, too. I started using ManageWP which makes it easier to check regularly, but I don’t install random plugins. Most people don’t know how vulnerable these can be and should be used with caution rather than with abandon 😉 Very seldom if ever are you “alerted” like you’ve done here that a plugin has a huge security vulnerability or has been removed from the repository.
When ManageWP was in beta I checked it out, but wasn’t ready to give it a try yet. I see they’ve added a Security guide and how they handle security. Be sure to read the comments on the last link. I don’t think I’m ready to give them control yet.
Regina, just thought I’d let you know that I did a test with ManageWP by logging into a friend’s ManageWP account, and it did not work as I expected. I was able to access all of the sites’ Dashboards through the ManageWP interface without individual admin passwords to the sites. Even when she logged out of the sites, I was still able to access them, so even though ManageWP doesn’t store the sites’ passwords, ManageWP does provide admin access to all the sites using just the one password you’ve set up with them. On one hand, I like the easy access to the sites this way, on the other, I’m nervous about the one password access to my WordPress sites. It could be secure and fine as is 1Password and similar tools, but I want more control over my WordPress sessions.
Hi Angela,
Wow! That’s good to know. I understand your concern completely. It looks like the plugin is “plugged” in no matter what. Not a warm fuzzy feeling. I think they need to beef up security over there. Think about it for those that use weak passwords yikes!!! They could have all of their sites changed or deleted with a click of a button.
I understand the ease of it and it’s a great concept, but being security conscious I’m like you I need control.
Thanks so much for your feedback.