WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

By 10 Comments

WordPress Plugin Security Vulnerability News and FixesWordPress Security Report of Plugin Vulnerabilities and Security Fixes

On June 18, 2012, I did security checks on the following plugins that have been reported with security vulnerabilities.

(Unfortunately, when a plugin vulnerability is found it is posted online and can cause a mass attack on websites using the plugin.)

In an effort to help keep all self-hosted WordPress users safe, I check these daily for any new threats. The Plugins Team at WordPress.org work very quickly in disabling public downloads while working with the third-party developers to get security updates before adding them back to their repository.

For WordPress security, the plugins below have either been removed from WordPress.org pending a security update or have fixed the security vulnerability.

  1. Annonces
    Threat: Arbitrary File Upload Vulnerability in Version 1.2.0.1
    Reported: 06/13/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/annonces/
    Trac: http://plugins.trac.wordpress.org/log/annonces/ (last update 006/11/2012)
  2. Evarisk
    Threat: Arbitrary File Upload Vulnerability in Version 5.1.5.4
    Reported: 06/14/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/evarisk/
    Trac: http://plugins.trac.wordpress.org/log/evarisk/ (last update 05/30/2012)
  3. FoxyPress
    Threat: Arbitrary File Upload Vulnerability in Version 0.4.2.1
    Reported: 06/14/2012
    Status: Security fix in Version 0.4.2.2 on 06/16/2012. Latest version is 0.4.2.3
    Download: http://wordpress.org/extend/plugins/foxypress/
    Changelog: http://wordpress.org/extend/plugins/foxypress/changelog/
  4. Invit0r
    Threat: Arbitrary File Upload Vulnerability in Version 0.22
    Reported: 06/14/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/invit0r/
    Trac: http://plugins.trac.wordpress.org/log/invit0r/ (last update 9/25/2011)
  5. LB Mixed Slideshow for WordPress
    Threat: Arbitrary File Upload Vulnerability in Version 1.0
    Reported: 06/17/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/lb-mixed-slideshow/
    Trac: http://plugins.trac.wordpress.org/log/lb-mixed-slideshow/ (last update 9/15/2011)
  6. Lim4wp
    Threat: Arbitrary File Upload Vulnerability in Version 0.22
    Reported: 06/18/2012
    Status: Removed from the WordPress.org repository
    Trac: http://plugins.trac.wordpress.org/log/lim4wp/ (last update 01/10/2011)
  7. MAC PHOTO GALLERY
    Threat: Arbitrary File Upload Vulnerability in Version 2.7
    Reported: 06/11/2012
    Status: Security fix in Version 2.8 on 06/13/2012
    Download: http://wordpress.org/extend/plugins/mac-dock-gallery/ (Plugin deleted from WordPress.org as of 11/14/12)
    Changelog: None available, see Trac: http://plugins.trac.wordpress.org/log/mac-dock-gallery/
  8. User Meta
    Threat: Arbitrary File Upload Vulnerability in Version 1.1.1
    Reported: 06/11/2012
    Status: Security fix in Version 1.1.1.1 on 06/12/2012
    Download: http://wordpress.org/extend/plugins/user-meta/
    Changelog: http://wordpress.org/extend/plugins/user-meta/changelog/
  9. WordPress Automatic Plugin (premium plugin)
    Threat: CSRF Exploit Vulnerability in Version 2.0.3
    Status: Security fix in Version 2.0.4 on 06/11/2012
    Download/Changelog: http://codecanyon.net/item/wordpress-automatic-plugin/1904470
  10. Wp-ImageZoom
    Threat: Remote File Disclosure Vulnerability in Version 5.1.5.4
    Reported: 06/18/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/wp-imagezoom/
    Trac: http://plugins.trac.wordpress.org/log/wp-imagezoom/ (last update 05/30/2012)
  11. wpStoreCart
    Threat: Arbitrary File Upload Vulnerability in Versions 2.5.27 – 2.5.29
    Reported: 06/08/2012
    Status: Security fix in Version 2.5.30 on 06/09/2012. Latest version is 2.5.31
    Download: http://wordpress.org/extend/plugins/wpstorecart/
    Changelog: http://wordpress.org/extend/plugins/wpstorecart/changelog/
  12. Zingiri Web Shop
    Threat: Arbitrary File Upload Vulnerability in Version 2.4.3
    Reported: 06/14/2012
    Status: Security fix in Version 2.4.4 on 06/18/2012
    Download: http://wordpress.org/extend/plugins/zingiri-web-shop/
    Changelog: http://wordpress.org/extend/plugins/zingiri-web-shop/changelog/

What to do if a plugin listed above is installed on your WordPress site with “Status: Security Fix…”

Important! The security fix is an update to close the vulnerability. You need to update the plugin immediately to the latest version for security.

What to do if the plugin you're using is listed as “Status: Removed from the WordPress.org repository?”

Important! For WordPress security, you should deactivate and remove the plugin immediately until a security update is available. If it's vital that you use the functions of a plugin, please look for a supported replacement plugin at http://wordpress.org/extend/plugins/ until a security fix is released.

Will a removed plugin be re-listed on WordPress.org?

For your protection WordPress.org removes the plugin link until the developer has fixed any security issues. Once the vulnerability is fixed and reviewed by WordPress.org, the plugin may appear again.

Note: Many times, third-party plugin developers are actively working on a security fix. To check the status of any plugin development and/or updates, click on the “Trac” link above or copy and paste the Old URL to see if the plugin is re-listed. If it is re-listed, it is safe to use the latest plugin version.

LEAVE YOUR FEEDBACK

Have a question about security of these WordPress plugins? Need to report a plugin vulnerability or found one that has been removed from the WordPress.org repository, please let us know. Leave your comment below.

I spend hours on these reports to help you stay safe. Please help other WordPress users as well by sharing this post using the buttons below.

Reader Interactions

Comments

  2. Ditto, but was saddened to learn that even the premium version of Automatic Upgrade Plug-in became vulnerable. Had used the free version till recently, when a upgrade broke it. May look into the feasibility of obtaining the premium version . Never quite understood why the folks at WP decided to come out with an inferior version of Automatic Upgrade.

    Reply

    • Hi Robert,

      I think you misunderstood. The premium plugin is the one with a security update. Click on the Download/Changelog link for the plugin and read the changelog about halfway down the page for details. This is not related to WordPress auto-updates.

      Reply

  4. For sure whatever the Automatic plug-in is, isn’t what I want or need. It is my understanding that there is a Premium version of the once free Automatic Upgrade WordPress plug-in. Just spent $15 for a unneeded plug-in, hopefully they will refund my money..

    Reply

Leave a Reply to Dr. MaryJo Wagner Cancel reply

Your email address will not be published.