WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

By 14 Comments

WordPress Security Plugin ReportWordPress Security Report of Plugin Vulnerabilities and Security Fixes/Patches

On June 22, 2012, I checked WordPress security on the following plugins reported with vulnerabilities.

Important! When a plugin exploit is found, the bad guys brag about it online and can cause mass hack attacks on those using it.

I check for new threats daily and have made it my mission to help you keep your WordPress site safe.

This information is not to freak you out. It's to wake you up and take action. I do this WordPress security research and share it with you to make you aware of any security issues so you can protect your WordPress website(s).

Please note: I have listed the plugin versions that have been found to have security vulnerabilities. Early versions of these plugins may also be affected. If the plugin has been updated with a security fix, you need to upgrade ASAP. If a plugin has been removed from the repository and you're using an earlier version then what is listed below, you should deactivate and remove it immediately.

WordPress Plugins Security Fixes

The following plugins have been updated to fix security vulnerabilities. If you are using any of the plugins below, please log-in to your WordPress Dashboard and update to the latest version immediately.

  1. Annonces plugin vulnerability in Version 1.2.0.1
    Security fixed in Version 1.2.0.2 on 06/20/2012
    Download: http://wordpress.org/extend/plugins/annonces/
    Changelog: http://wordpress.org/extend/plugins/annonces/changelog/
  2. Evarisk plugin vulnerability in Version 5.1.5.4
    Security fixed in Version 5.1.5.5 on 06/20/2012
    Download: http://wordpress.org/extend/plugins/evarisk/
    Changelog: http://wordpress.org/extend/plugins/evarisk/changelog/
  3. Front End Upload plugin vulnerability in 0.5.3 (free version only, not pro)
    Security fixed in Version 0.5.4.3 on 06/10/2012
    Download: http://wordpress.org/extend/plugins/front-end-upload/
    Changelog: http://wordpress.org/extend/plugins/front-end-upload/changelog/
  4. kk Star Ratings plugin vulnerability in Version 1.7
    Security fixed in Version 1.7.1. Current version 1.7.2 on 06/19/2012
    Download: http://wordpress.org/extend/plugins/kk-star-ratings/
    Changelog: http://wordpress.org/extend/plugins/kk-star-ratings/changelog/
  5. Nmedia MailChimp Widget plugin vulnerability in Version 3.1
    Security fixed in Version 3.2 on 06/13/2012
    Download: http://wordpress.org/extend/plugins/nmedia-mailchimp-widget/
    Changelog: http://wordpress.org/extend/plugins/nmedia-mailchimp-widget/changelog/
  6. Nmedia WordPress Member Conversation plugin vulnerability in Version 1.3
    Security fixed in Version 1.4 on 06/10/2012
    Download: http://wordpress.org/extend/plugins/wordpress-member-private-conversation/
    Changelog: http://wordpress.org/extend/plugins/wordpress-member-private-conversation/changelog/
  7. NS Utilities plugin vulnerability in Version 1.0
    Security fixed in Version 1.1 on 06/13/2012
    Download: http://wordpress.org/extend/plugins/ns-utilities/
    Changelog: http://wordpress.org/extend/plugins/ns-utilities/changelog/
  8. Omni Secure files plugin vulnerability in Version 0.1.13
    Security fixed in Version 0.1.15 on 06/12/2012
    Download: http://wordpress.org/extend/plugins/omni-secure-files/
    Changelog: http://wordpress.org/extend/plugins/omni-secure-files/changelog/
  9. PDW Media File Browser plugin vulnerability in Version 1.1
    Security fix in Version 1.2. Current version 1.3 on 06/21/2012
    Download: http://wordpress.org/extend/plugins/pdw-file-browser/ (Plugin has been deleted from WordPress.org as of 11/14/12)
    Changelog: http://wordpress.org/extend/plugins/pdw-file-browser/changelog/ (Plugin has been deleted from WordPress.org as of 11/14/12)
  10. TheCartPress eCommerce Shopping Cart plugin vulnerability in Version 1.1.9.2
    Security fixed in Version 1.1.9.3 on 06/21/2012
    Download: http://wordpress.org/extend/plugins/thecartpress/
    Changelog: http://wordpress.org/extend/plugins/thecartpress/changelog/
  11. WordPress Mac Photo Gallery plugin vulnerability in Version 2.7
    Security fixed in Version 2.10 on 06/20/2012
    Download: http://wordpress.org/extend/plugins/mac-dock-gallery/ (Plugin has been deleted from WordPress.org as of 11/14/12)
    Trac: http://plugins.trac.wordpress.org/log/mac-dock-gallery
  12. WassUp Real Time Analytics plugin vulnerability in Version 1.8.3
    Security fixed in Version 1.8.3.1
    Download: http://wordpress.org/extend/plugins/wassup/
    Changelog: http://wordpress.org/extend/plugins/wassup/changelog/

WordPress Plugins Removed for Vulnerabilities

The plugins below have been reported with security vulnerabilities and removed from the plugins repository at wordpress.org. For WordPress security, if you're using these plugins please deactivate them and delete them from your site. Leaving them on your server poses a security risk. Before using, please wait until a security fix has been released or find an alternative plugin.

  1. Easy Contact Forms Export plugin vulnerability in Version 1.1.0
    Old URL: http://wordpress.org/extend/plugin/easy-contact-forms-exporter/
    Trac: http://plugins.trac.wordpress.org/log/easy-contact-forms-exporter (last update 04/02/2012)
  2. FCChat Widget plugin vulnerability in Versions 2.2.12.2 through 2.2.13.1
    Old URL: http://wordpress.org/extend/plugins/fcchat/
    Trac: http://plugins.trac.wordpress.org/log/fcchat (last update 06/13/2012)
  3. Front File Manager plugin vulnerability in Version 0.1
    Old URL: http://wordpress.org/extend/plugins/front-file-manager/
    Trac: http://plugins.trac.wordpress.org/log/front-file-manager (last update 01/24/2012)
  4. Hungred Post Thumbnail plugin vulnerability in Version 2.1.9
    Old URL: http://wordpress.org/extend/plugins/hungred-post-thumbnail/
    Trac: http://plugins.trac.wordpress.org/log/hungred-post-thumbnail (last updated 06/26/2012)
  5. Plugin: Newsletter plugin vulnerability in Version 1.5
    Old URL: http://wordpress.org/extend/plugins/plugin-newsletter/
    Trac: http://plugins.trac.wordpress.org/log/plugin-newsletter (last update 11/23/2011)
  6. WordPress Schreikasten plugin vulnerability in Version 0.14.13
    Old URL: http://wordpress.org/extend/plugins/schreikasten/
    Trac: http://plugins.trac.wordpress.org/log/schreikasten (last update 09/16/2011)
  7. WORDPRESS VIDEO GALLERY plugin vulnerability in Version 1.3
    Old URL: http://wordpress.org/extend/plugins/contus-video-galleryversion-10/
    Trac: http://plugins.trac.wordpress.org/log/contus-video-galleryversion-10/ (last update 12/28/2011)

LEAVE YOUR FEEDBACK

Have a question about security of these WordPress plugins? Need to report a plugin vulnerability or have you found a plugin that has been removed from the WordPress.org repository, please let us know. Leave your comment below.

P.S. I spend hours on these WordPress Security Reports to help you stay safe. Please help other WordPress users as well by sharing this post using the buttons below. Hint: The hashtags I use are #WordPress and #WP.

Reader Interactions

Comments

  2. Luckily I’m not using any of the problem plugins. Website security is hard to keep up with these days. Appreciate the info :-))

    Reply

    • Hey Bob,

      Thanks for your comment and you’re welcome. You’re right it is hard to keep up with WordPress security, but glad I’m here to help make you aware.

      Reply

  3. Thank you for this plugins security alerts. I just removed 3 plugins (Mailchimp widget, Newsletter and video plugins). In fact, malchimp plugin updated to the new version, but I do not like the appearance of the new version of this plugin. So, i completely uninstalled this plugin instead of using old version.

    Reply

    • Hi Hakaner,

      You’re very welcome. Glad you caught those before they caused any damage. I haven’t seen the new version of mailchimp yet, what didn’t you like about the new version?

      Reply

      • Because, new version does not support easy custom backgrounds and button in subscription form. Now, you have to use a blank form or must have knowledge of css.

        Reply

  4. Regina, I LOVE how you keep us updated on all this stuff (so I don’t have to!) You rock, thank you! Thankfully, neither I nor any of our clients use any of these plugins.

    Reply

  5. Hi Regina,

    I just had my WP blog hacked about 2 days ago, and it is gone. They left a black page that said “F**k your security” and hacked by Black Newbie Team. They erased all my pages from my site. any way to get it back?

    Thanks, Greg

    Reply

    • Hi Greg,

      Sorry to hear your WordPress site was attacked. Don’t panic. It sounds your website was defaced. Your content (page, posts, comments, settings, etc.) are stored in a database. And your files are probably still on your server, but just need to be cleaned. I’ve cleaned hundreds of defaces websites and was able to restore back to normal. If you want me to help clean your site for you, go here.

      Reply

    • Hey Greg,

      Thanks for your question. I have not had any problems on themes that are using the latest timthumb script. Only those that are using the outdated vulnerable one (Pre 2.8.3). I recommend installing the Timthumb Vulnerability Scanner plugin by Peter Butler to check it.

      Reply

Leave a Reply to Regina Smola Cancel reply

Your email address will not be published.