Below is a list of WordPress plugin vulnerabilities to be aware of for the end of October 2014. If your site is running any of the affected plugins, please upgrade immediately – or find an alternative if no patch is available.
Thanks to the security team at Wordfence for the heads up!
- Creative Contact Form has a shell upload vulnerability in all versions prior to 1.0.0. Upgrade immediately. Reported by ExploitDB.
- The current version of CP Multi View Event Calendar 1.01 has an SQL injection vulnerability. Uninstall the plugin immediately until a fix is released. Published on PacketStorm by Claudio Viviani.
- The Alipay plugin for WordPress has an XSS vulnerability in versions 3.6.0 and lower. It may have been fixed in the newest version although that version does not have an entry in the plugin changelog. Disclosed by Prajal Kulkarni on CodeVigilant.
- The current version of Rich Counter 1.1.5 (possibly abandoned) contains an XSS vulnerability. Uninstall the plugin until a fix is released. Disclosed by XroGuE on Packetstorm.
- The InfusionSoft Gravity Forms AddOn contains a file upload vulnerability in 1.5.10 and older. Upgrade immediately to 1.5.11. Disclosed by g0blin and metasploit by us3r777.
- The popular WP Google Maps plugin contains an XSS vulnerability in version 6.0.26 and possibly earlier versions. Upgrade to 6.0.28 immediately. Disclosed by HTBridge.
For more details and links, please visit the Wordfence Security Blog.
note: NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by these vulnerabilities.