The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WordPress Plugins ~ not comprehensive

vulnerability announce CVE-2018-17074

WordPress Feed Statistics: open redirect

Synthesis of the vulnerability

An attacker can deceive the user of WordPress Feed Statistics, in order to redirect him to a malicious site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 1/4.
Creation date: 17/09/2018.
Identifiers: CVE-2018-17074, VIGILANCE-VUL-27242.

Description of the vulnerability

The Feed Statistics plugin can be installed on WordPress.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of WordPress Feed Statistics, in order to redirect him to a malicious site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-14430

WordPress Mondula Multi Step Form: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Mondula Multi Step Form, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 26/07/2018.
Identifiers: CVE-2018-14430, VIGILANCE-VUL-26849.

Description of the vulnerability

The Mondula Multi Step Form plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Mondula Multi Step Form, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability 26845

WordPress Gwolle Guestbook: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Gwolle Guestbook, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 25/07/2018.
Identifiers: DC-2018-05-008, VIGILANCE-VUL-26845.

Description of the vulnerability

The Gwolle Guestbook plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Gwolle Guestbook, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note 26844

WordPress Strong Testimonials: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Strong Testimonials, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 25/07/2018.
Identifiers: DC-2018-05-007, VIGILANCE-VUL-26844.

Description of the vulnerability

The Strong Testimonials plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Strong Testimonials, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin 26843

WordPress Snazzy Maps: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Snazzy Maps, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 25/07/2018.
Identifiers: DC-2018-05-006, VIGILANCE-VUL-26843.

Description of the vulnerability

The Snazzy Maps plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Snazzy Maps, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2018-14071

WordPress Geo Mashup: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Geo Mashup, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 17/07/2018.
Identifiers: CVE-2018-14071, VIGILANCE-VUL-26760.

Description of the vulnerability

The Geo Mashup plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Geo Mashup, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2018-13136

WordPress Ultimate Member: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Ultimate Member, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 05/07/2018.
Identifiers: 456, CVE-2018-13136, VIGILANCE-VUL-26626.

Description of the vulnerability

The Ultimate Member plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Ultimate Member, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2018-1000556

WordPress WP Statistics: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress WP Statistics, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 27/06/2018.
Identifiers: CVE-2018-1000556, VIGILANCE-VUL-26555.

Description of the vulnerability

The WP Statistics plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress WP Statistics, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2018-12636

WordPress iThemes Security: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of WordPress iThemes Security, in order to read or alter data.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 25/06/2018.
Identifiers: CVE-2018-12636, VIGILANCE-VUL-26513.

Description of the vulnerability

The WordPress iThemes Security product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of WordPress iThemes Security, in order to read or alter data.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2018-12534

WordPress Quick Chat: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of WordPress Quick Chat, in order to read or alter data.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Creation date: 19/06/2018.
Identifiers: CVE-2018-12534, VIGILANCE-VUL-26453.

Description of the vulnerability

The WordPress Quick Chat product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of WordPress Quick Chat, in order to read or alter data.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WordPress Plugins ~ not comprehensive: