WordPress Plugins You Should Check This Halloween!
UPDATED
A serious vulnerability in the WP eCommerce Plugin was announced within the last 24 hours. A fix has been released and some hosting companies are already auto-upgrading customers to the newest version. If you DON”T have an Premium Unlimited WordPress Support plan from WPBlogSupport.com please upgrade to 3.8.14.4 of WP eCommerce immediately if you use this plugin. 3 million people have downloaded this is a very popular plugin.
Wordfence just released the October 3oth 2014 Security update… and there’ are a couple of popular WordPress Plugins that unfortunately made the list. I’ve included the info below. If you are a WPBlog Support client and you have one of these plugins installed that has an available update – your WordPress site has already been updated…
The Unlimited Live WordPress Support package for WPBlogSupport clients includes Wordfence scanning and automatic updates of WordPress, WordPress Plugins and your WordPress Themes…. Here’s the details from the bulletin:
This is a WordPress security report for Oct 30th 2014. We are publishing a list of current critical vulnerabilities that we want to draw your attention to. Please scan the list below and if you are using any of the products listed, or if you are aware of anyone using the products listed, please take the appropriate action which we include in each bullet point below.
- Creative Contact Form has a shell upload vulnerability in all versions prior to 1.0.0. Upgrade immediately. Reported by ExploitDB.
- The current version of CP Multi View Event Calendar 1.01 has an SQL injection vulnerability. Uninstall the plugin immediately until a fix is released. Published on PacketStorm by Claudio Viviani.
- (Chinese) The Alipay plugin for WordPress has an XSS vulnerability in versions 3.6.0 and lower. It may have been fixed in the newest version although that version does not have an entry in the plugin changelog. Disclosed by Prajal Kulkarni on CodeVigilant.
- The current version of Rich Counter 1.1.5 (possibly abandoned) contains an XSS vulnerability. Uninstall the plugin until a fix is released. Disclosed by XroGuE on Packetstorm.
- The InfusionSoft Gravity Forms AddOn contains a file upload vulnerability in 1.5.10 and older. Upgrade immediately to 1.5.11. Disclosed by g0blin and metasploit by us3r777.
- The popular WP Google Maps plugin contains an XSS vulnerability in version 6.0.26 and possibly earlier versions. Upgrade to 6.0.28 immediately. Disclosed by HTBridge.
This list originally appeared here: http://www.wordfence.com/blog/2014/10/wordpress-security-plugin-vulnerabilities
If you’re not sure just ask. You can always get Live WordPress Support from the Keeners at WPBlogSupport.com
