The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WordPress Plugins ~ not comprehensive

vulnerability CVE-2019-6780

WordPress Wise Chat: open redirect

Synthesis of the vulnerability

An attacker can deceive the user of WordPress Wise Chat, in order to redirect him to a malicious site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 25/01/2019.
Identifiers: CVE-2019-6780, VIGILANCE-VUL-28370.

Description of the vulnerability

The Wise Chat plugin can be installed on WordPress.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of WordPress Wise Chat, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2018-20231

WordPress Two Factor Authentication: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of WordPress Two Factor Authentication, in order to force the victim to perform operations.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 20/12/2018.
Identifiers: CVE-2018-20231, VIGILANCE-VUL-28071.

Description of the vulnerability

The Two Factor Authentication plugin can be installed on WordPress.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of WordPress Two Factor Authentication, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-20101

WordPress Import users from CSV with meta: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Import users from CSV with meta, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/12/2018.
Identifiers: CVE-2018-20101, VIGILANCE-VUL-28020.

Description of the vulnerability

The Import users from CSV with meta plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Import users from CSV with meta, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-19796

WordPress Ninja Forms: open redirect

Synthesis of the vulnerability

An attacker can deceive the user of WordPress Ninja Forms, in order to redirect him to a malicious site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 04/12/2018.
Identifiers: CVE-2018-19796, VIGILANCE-VUL-27943.

Description of the vulnerability

The Ninja Forms plugin can be installed on WordPress.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user of WordPress Ninja Forms, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-19370

WordPress Yoast SEO: code execution via ZIP Import

Synthesis of the vulnerability

An attacker can use a vulnerability via ZIP Import of WordPress Yoast SEO, in order to run code.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights.
Provenance: privileged account.
Creation date: 29/11/2018.
Identifiers: CVE-2018-19370, VIGILANCE-VUL-27907.

Description of the vulnerability

An attacker can use a vulnerability via ZIP Import of WordPress Yoast SEO, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-19564

WordPress Easy Testimonials: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Easy Testimonials, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 27/11/2018.
Identifiers: CVE-2018-19564, VIGILANCE-VUL-27885.

Description of the vulnerability

The Easy Testimonials plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Easy Testimonials, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-19287

WordPress Ninja Forms: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Ninja Forms, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 16/11/2018.
Identifiers: CVE-2018-19287, VIGILANCE-VUL-27803.

Description of the vulnerability

The Ninja Forms plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Ninja Forms, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 27782

WordPress Custom Frontend Login Registration Form: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Custom Frontend Login Registration Form, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 14/11/2018.
Identifiers: VIGILANCE-VUL-27782.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Custom Frontend Login Registration Form, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 27756

WordPress PeepSo: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress PeepSo, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/11/2018.
Identifiers: VIGILANCE-VUL-27756.

Description of the vulnerability

The PeepSo plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress PeepSo, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 27755

WordPress WP User Manager: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of WordPress WP User Manager, in order to read or alter data.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 12/11/2018.
Identifiers: VIGILANCE-VUL-27755.

Description of the vulnerability

An attacker can use a SQL injection of WordPress WP User Manager, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WordPress Plugins ~ not comprehensive: