state of security in the WordPress ecosystem
06.07.2022A few weeks ago, I did some small security audits of WordPress plugins and the result is not great.
With a rather small effort of a few hours per day (for two weeks) and very simple (manual) audits, I had identified over 110 vulnerabilities in 100 plugins. The findings were properly reported to the plugin developers and many were also resolved by new patches. But there were also a few developers who did not react and as a result, some of the plugins were closed on the plugin directory (by the security team of WordPress), until they address and fix these problems.
In summary, there are many (yet unknown) vulnerabilities lurking in insecurely written WordPress plugins. With a bit of effort, these can be easily found, used / exploited and combined in targeted attacks to cause rather big damages.
The following list of assigned CVEs will be updated regularly to reflect my findings.
List of CVEs
- CVE-2021-4226 (rsfirewall)
- CVE-2021-24917 (wps-hide-login)
- CVE-2022-0541 (flo-launch)
- CVE-2022-1054 (rsvp)
- CVE-2022-1164 (wyzi-business-finder)
- CVE-2022-1165 (blackhole-bad-bots)
- CVE-2022-1166 (noo-jobmonster)
- CVE-2022-1167 (careerup)
- CVE-2022-1168 (wp-jobsearch)
- CVE-2022-1169 (careerfy)
- CVE-2022-1170 (noo-jobmonster)
- CVE-2022-1412 (logwpmail)
- CVE-2022-1570 (files-download-delay)
- CVE-2022-1572 (html2wp)
- CVE-2022-1573 (html2wp)
- CVE-2022-1574 (html2wp)
- CVE-2022-1576 (wp-maintenance-mode)
- CVE-2022-1577 (wp-db-backup)
- CVE-2022-1578 (my-wpdb)
- CVE-2022-1579 (login-block-ips)
- CVE-2022-1580 (site-offline)
- CVE-2022-1581 (wp-polls)
- CVE-2022-1583 (open-external-links-in-a-new-window)
- CVE-2022-1585 (project-source-code-download)
- CVE-2022-1589 (change-wp-admin-login)
- CVE-2022-1591 (wordpress-ping-optimizer)
- CVE-2022-1593 (site-is-offline-plugin)
- CVE-2022-1594 (hc-custom-wp-admin-url)
- CVE-2022-1595 (hc-custom-wp-admin-url)
- CVE-2022-1599 (admin-management-xtended)
- CVE-2022-1600 (yop-poll)
- CVE-2022-1601 (user-access-manager)
- CVE-2022-1603 (mail-subscribe-list)
- CVE-2022-1605 (email-users)
- CVE-2022-1608 (social-locker)
- CVE-2022-1610 (seamless-donations)
- CVE-2022-1611 (bulk-page-creator)
- CVE-2022-1612 (webriti-smtp-mail)
- CVE-2022-1613 (restricted-site-access)
- CVE-2022-1614 (wp-email)
- CVE-2022-1624 (latest-tweets-widget)
- CVE-2022-1625 (new-user-approve)
- CVE-2022-1626 (sharebar)
- CVE-2022-1627 (jonradio-private-site)
- CVE-2022-1630 (wp-email)
- CVE-2022-1653 (social-share-buttons-by-supsystic)
- CVE-2022-1663 (stop-spam-comments)
- CVE-2022-1672 (google-pagespeed-insights)
- CVE-2022-1694 (useful-banner-manager)
- CVE-2022-1695 (wordpress-plugin-for-simple-google-adsense-insertion)
- CVE-2022-1709 (throws-spam-away)
- CVE-2022-1712 (livesync)
- CVE-2022-1732 (rename-wp-login)
- CVE-2022-1757 (pagebar)
- CVE-2022-1758 (genki-pre-publish-reminder)
- CVE-2022-1759 (rb-internal-links)
- CVE-2022-1760 (core-control)
- CVE-2022-1761 (peters-collaboration-e-mails)
- CVE-2022-1762 (iq-block-country)
- CVE-2022-1763 (jp-staticpagex)
- CVE-2022-1764 (wp-chgfontsize)
- CVE-2022-1765 (hot-linked-image-cacher)
- CVE-2022-1779 (auto-delete-posts)
- CVE-2022-1780 (latex)
- CVE-2022-1781 (posttabs)
- CVE-2022-1787 (sideblog)
- CVE-2022-1788 (change-uploaded-file-permissions)
- CVE-2022-1790 (new-user-email-set-up)
- CVE-2022-1791 (one-click-plugin-updater)
- CVE-2022-1792 (quick-subscribe)
- CVE-2022-1793 (private-files)
- CVE-2022-1818 (multi-page-toolkit)
- CVE-2022-1826 (cross-linker)
- CVE-2022-1827 (pdf24-post-to-pdf)
- CVE-2022-1828 (pdf24-posts-to-pdf)
- CVE-2022-1829 (google-maps-advanced)
- CVE-2022-1830 (amazon-einzeltitellinks)
- CVE-2022-1831 (wplite)
- CVE-2022-1832 (capa)
- CVE-2022-1842 (openbook-book-data)
- CVE-2022-1843 (mailpress)
- CVE-2022-1844 (wp-sentry)
- CVE-2022-1845 (wp-post-styling)
- CVE-2022-1846 (tiny-contact-form)
- CVE-2022-1847 (rotating-posts)
- CVE-2022-1885 (cimy-header-image-rotator)
- CVE-2022-1895 (underconstruction)
- CVE-2022-1913 (wp-posturl)
- CVE-2022-1914 (clean-contact)
- CVE-2022-1956 (shortcut-macros)
- CVE-2022-1957 (comment-license)
- CVE-2022-1960 (mycss)
- CVE-2022-1967 (wp-championship)
- CVE-2022-2091 (cache-images)
- CVE-2022-2123 (wp-opt-in)
- CVE-2022-2171 (progressive-license)
- CVE-2022-2172 (linkworth-wp-plugin)
- CVE-2022-2328 (flexi-quote-rotator)
- CVE-2022-2544 (ninja-job-board)
- CVE-2022-2558 (simple-job-board)
- CVE-2022-2600 (auto-hyperlink-urls)