You are here: Home / Blog / WordPress Security Plugin Report: Vulnerabilities and Fixes – 06-18-2012

WordPress Security Plugin Report: Vulnerabilities and Fixes - 06-18-2012

Last updated on June 18, 2012 by 10 Comments

WordPress Plugin Security Vulnerability News and FixesWordPress Security Report of Plugin Vulnerabilities and Security Fixes

On June 18, 2012, I did security checks on the following plugins that have been reported with security vulnerabilities.

(Unfortunately, when a plugin vulnerability is found it is posted online and can cause a mass attack on websites using the plugin.)

In an effort to help keep all self-hosted WordPress users safe, I check these daily for any new threats. The Plugins Team at WordPress.org work very quickly in disabling public downloads while working with the third-party developers to get security updates before adding them back to their repository.

For WordPress security, the plugins below have either been removed from WordPress.org pending a security update or have fixed the security vulnerability.

  1. Annonces
    Threat: Arbitrary File Upload Vulnerability in Version 1.2.0.1
    Reported: 06/13/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/annonces/
    Trac: http://plugins.trac.wordpress.org/log/annonces/ (last update 006/11/2012)
  2. Evarisk
    Threat: Arbitrary File Upload Vulnerability in Version 5.1.5.4
    Reported: 06/14/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/evarisk/
    Trac: http://plugins.trac.wordpress.org/log/evarisk/ (last update 05/30/2012)
  3. FoxyPress
    Threat: Arbitrary File Upload Vulnerability in Version 0.4.2.1
    Reported: 06/14/2012
    Status: Security fix in Version 0.4.2.2 on 06/16/2012. Latest version is 0.4.2.3
    Download: http://wordpress.org/extend/plugins/foxypress/
    Changelog: http://wordpress.org/extend/plugins/foxypress/changelog/
  4. Invit0r
    Threat: Arbitrary File Upload Vulnerability in Version 0.22
    Reported: 06/14/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/invit0r/
    Trac: http://plugins.trac.wordpress.org/log/invit0r/ (last update 9/25/2011)
  5. LB Mixed Slideshow for WordPress
    Threat: Arbitrary File Upload Vulnerability in Version 1.0
    Reported: 06/17/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/lb-mixed-slideshow/
    Trac: http://plugins.trac.wordpress.org/log/lb-mixed-slideshow/ (last update 9/15/2011)
  6. Lim4wp
    Threat: Arbitrary File Upload Vulnerability in Version 0.22
    Reported: 06/18/2012
    Status: Removed from the WordPress.org repository
    Trac: http://plugins.trac.wordpress.org/log/lim4wp/ (last update 01/10/2011)
  7. MAC PHOTO GALLERY
    Threat: Arbitrary File Upload Vulnerability in Version 2.7
    Reported: 06/11/2012
    Status: Security fix in Version 2.8 on 06/13/2012
    Download: http://wordpress.org/extend/plugins/mac-dock-gallery/ (Plugin deleted from WordPress.org as of 11/14/12)
    Changelog: None available, see Trac: http://plugins.trac.wordpress.org/log/mac-dock-gallery/
  8. User Meta
    Threat: Arbitrary File Upload Vulnerability in Version 1.1.1
    Reported: 06/11/2012
    Status: Security fix in Version 1.1.1.1 on 06/12/2012
    Download: http://wordpress.org/extend/plugins/user-meta/
    Changelog: http://wordpress.org/extend/plugins/user-meta/changelog/
  9. WordPress Automatic Plugin (premium plugin)
    Threat: CSRF Exploit Vulnerability in Version 2.0.3
    Status: Security fix in Version 2.0.4 on 06/11/2012
    Download/Changelog: http://codecanyon.net/item/wordpress-automatic-plugin/1904470
  10. Wp-ImageZoom
    Threat: Remote File Disclosure Vulnerability in Version 5.1.5.4
    Reported: 06/18/2012
    Status: Removed from the WordPress.org repository
    Old URL: http://wordpress.org/extend/plugins/wp-imagezoom/
    Trac: http://plugins.trac.wordpress.org/log/wp-imagezoom/ (last update 05/30/2012)
  11. wpStoreCart
    Threat: Arbitrary File Upload Vulnerability in Versions 2.5.27 - 2.5.29
    Reported: 06/08/2012
    Status: Security fix in Version 2.5.30 on 06/09/2012. Latest version is 2.5.31
    Download: http://wordpress.org/extend/plugins/wpstorecart/
    Changelog: http://wordpress.org/extend/plugins/wpstorecart/changelog/
  12. Zingiri Web Shop
    Threat: Arbitrary File Upload Vulnerability in Version 2.4.3
    Reported: 06/14/2012
    Status: Security fix in Version 2.4.4 on 06/18/2012
    Download: http://wordpress.org/extend/plugins/zingiri-web-shop/
    Changelog: http://wordpress.org/extend/plugins/zingiri-web-shop/changelog/

What to do if a plugin listed above is installed on your WordPress site with "Status: Security Fix..."

Important! The security fix is an update to close the vulnerability. You need to update the plugin immediately to the latest version for security.

What to do if the plugin you're using is listed as "Status: Removed from the WordPress.org repository?"

Important! For WordPress security, you should deactivate and remove the plugin immediately until a security update is available. If it's vital that you use the functions of a plugin, please look for a supported replacement plugin at http://wordpress.org/extend/plugins/ until a security fix is released.

Will a removed plugin be re-listed on WordPress.org?

For your protection WordPress.org removes the plugin link until the developer has fixed any security issues. Once the vulnerability is fixed and reviewed by WordPress.org, the plugin may appear again.

Note: Many times, third-party plugin developers are actively working on a security fix. To check the status of any plugin development and/or updates, click on the "Trac" link above or copy and paste the Old URL to see if the plugin is re-listed. If it is re-listed, it is safe to use the latest plugin version.

LEAVE YOUR FEEDBACK

Have a question about security of these WordPress plugins? Need to report a plugin vulnerability or found one that has been removed from the WordPress.org repository, please let us know. Leave your comment below.

I spend hours on these reports to help you stay safe. Please help other WordPress users as well by sharing this post using the buttons below.

==>> Pssst… Did you attend the “How to Create Prospect & Profit Pulling Content in 20 Minutes or Less with Jeff Herring, a Webinar Hosted by Regina Smola?”

Wow! What an amazing webinar. We were pumping out content during this live event, it was action packed and we produced results! And you can too! Listen to the Replay Right Now!. (Hurry, it's free and only available till the end of the weekend.)

Filed Under: Blog, Bugs & Vulnerabilities, WordPress Plugins Tagged With:
About Regina Smola

Regina is a sought-after WordPress Security Expert, Speaker, Author and owner of WPSecurityLock.com. She has helped thousands of WordPress users tighten security on their WordPress sites and fixed hundreds of hacked WordPress blogs. Read More. Follow on Facebook, Google+, Twitter.

Comments

  1. Dr. MaryJo Wagner says:
    June 18, 2012 at 2:10 pm

    Yippee. I don't have any of those plug ins! Thanks Regina for your good work and keeping all of us up to date!

    Reply
  2. Robert Nelson says:
    June 18, 2012 at 3:05 pm

    Ditto, but was saddened to learn that even the premium version of Automatic Upgrade Plug-in became vulnerable. Had used the free version till recently, when a upgrade broke it. May look into the feasibility of obtaining the premium version . Never quite understood why the folks at WP decided to come out with an inferior version of Automatic Upgrade.

    Reply
    • Regina Smola says:
      June 18, 2012 at 3:09 pm

      Hi Robert,

      I think you misunderstood. The premium plugin is the one with a security update. Click on the Download/Changelog link for the plugin and read the changelog about halfway down the page for details. This is not related to WordPress auto-updates.

      Reply
  3. S Emerson says:
    June 18, 2012 at 11:52 pm

    Like Dr. MaryJo Wagner I don't use any of these.

    Don't use any of the ones on your June 12 list either. (wink)

    Reply
  4. Robert Nelson says:
    June 19, 2012 at 5:18 pm

    For sure whatever the Automatic plug-in is, isn't what I want or need. It is my understanding that there is a Premium version of the once free Automatic Upgrade WordPress plug-in. Just spent $15 for a unneeded plug-in, hopefully they will refund my money..

    Reply

Speak Your Mind

*

CommentLuv badge
Real Time Web Analytics