Plugin Vulnerabilities

Description

This plugin checks the plugins you have installed against a list of vulnerabilities in plugins that we have seen hackers trying to exploit. If the installed version of a plugin is vulnerable an alert is added to the Installed Plugins page and an email alert is sent, otherwise details of the vulnerabilities are included on the Plugin Vulnerabilities page.

This data can be helpful when cleaning up a hacked website, as you want to determine how the website was hacked when doing that and this data may provide part of information needed to do that.

Since the vulnerability data for the plugin is included in the plugin, you will need to keep the plugin up to date to insure you have the latest data. You can use our Automatic Plugin Updates plugin to automatically update this plugin and your other installed plugins.

If you want to let us know of a missing exploited vulnerability or if we need to correct something in the listing for an included vulnerability, please contact us here. For missing vulnerabilities please include a link to the details of the vulnerability.

Sign Up For Our Plugin Vulnerabilities Service

You can get alerted for known vulnerabilities in all the plugins you use, not just ones that we already seeing evidence that hackers are targeting, when you sign up for our Plugin Vulnerabilities service. Through the service you also have access to a number of other important features including the ability to help to determine which plugins we will do security reviews of.

You can get your first month of the service for free when you use the coupon code “FirstMonthFree” when signing up.

Screenshots

  • Alert Shown on Installed Plugins Page For Vulnerability In Version of Plugin In Use

  • Full Listing of Vulnerabilities With Frequent Exploitation Attempts That Have Existed in Installed Plugins

  • Email Alert

Installation

  1. Copy plugin files to the plugins folder.

  2. Activate the plugin.

  3. Click the Plugin Vulnerabilities item in the Plugins Menu to see results.

FAQ

Installation Instructions
  1. Copy plugin files to the plugins folder.

  2. Activate the plugin.

  3. Click the Plugin Vulnerabilities item in the Plugins Menu to see results.

Reviews

Not of much use

While other security-oriented plugins do some active protection against potential exploits (at least try to) this one actually does not add much value, but rather just checks the list of installed plugins against the list of vulnerable plugins.

Vulnerable plugins list is included inside of the plugin. And it has only about 160 plugins – given that plugin’s repository now has abt. 50.000 plugins – this is not much.

Plugin does not recommend any action to prevent the vulnerability from being exploited. Just alerts that it exists.

So in the end: 1) The database of vulnerabilities is poor, 2) Plugin assumes you need to update it regularly manually to have the list of vulnerabilities, 3) If plugin finds a vulnerability the only action you can take from there is to read an article about vulnerability on author’s website. And order a paid service from them to clean up.

So basically all actions will still be manual.

The vulnerabilities included are taken from public sources. Which are updated in realtime unlike this plugin. So in the end of the day if you’re checking this manually it makes more sense to check the public sources.

As is, it is just an interface to match your plugins against known vulnerabilities which is not that useful.

I stopped testing and uninstalled the plugin.

Webshell inside?

https://www.virustotal.com/pt/file/cc4e378ceacbf793219692e167529eddb04a02fb9c4e5005eeb71ca48dceac49/analysis/1481926177/

Could Be Better

There are some issues with this plugin:

1) Since the plugin must be updated in order for it to detect vulnerabilities, and there haven’t been any new vulnerabilities added in nearly 4 months, this isn’t currently very useful as a security plugin.

2) Since users must update the plugin for it to be able to detect new vulnerabilities, chances are that they’ve already installed the security fix to the vulnerable plugin by the time this plugin informs them of the issue. Essentially, this plugin is redundant.

3) The plugin includes the list of vulnerabilities directly in the plugin files, which causes some hosting providers falsely to flag the plugin itself as malicious.

For now, I’m finding a combination of Wordfence and Plugin Security Scanner to be more effective, since they both run scans automatically on a daily basis and send email notifications if issues are found.

Among many other security features, Wordfence scans plugin files and compares them to the original versions from the official WordPress repository. It generates alerts if any plugins are out of date, and it shows the changes to the files so site admins can easily see whether they were manually done, or whether they are indeed malicious. It also checks for signatures of known malicious files, and scans file contents as well as the database for backdoors, trojans, and suspicious code.

As for Plugin Security Scanner, it determines whether any plugins have security vulnerabilities by looking up details in the WPScan Vulnerability Database. I think this is more effective than including the list of vulnerabilities directly in the plugin files, as this plugin does, since the onus isn’t on site admins to update the plugin each time new vulnerabilities are added, and since issues can be found faster thanks to daily automatic scans.

Should be built in to WordPress

This is an absolutely essential plugin which should be built in to WordPress itself frankly to warn people that the plugins they are using contain exploits.

I own a hosting company and much of our work is helping customers recover from hacked installs of WordPress, Joomla, Magento or whatever software they’ve installed years previously but never updated. WordPress, being used by apparently 25% of the world’s websites is a particular target.

I’m giving it 4/5 only because the signatures of each vulnerable plugin this tracks in the plugin’s /vulnerabilities/ folder do themselves trigger false positive reports in server side exploit tools such as the very commonly used cxs by ConfigServer.com. If those were stored in such a way that cxs wouldn’t report them then this gets 5/5.

Read all 14 reviews

Contributors & Developers

“Plugin Vulnerabilities” is open source software. The following people have contributed to this plugin.

Contributors

Changelog

2.0.45 – 4/20/2017

  • Added data on vulnerability in WooCommerce Catalog Enquiry.

2.0.44 – 4/11/2017

  • Added data on vulnerabilities in Analytic and Lightbox Wp.

2.0.43 – 3/16/2017

  • Added data on vulnerabilities in How to Create an App for Android iPhone Easytouch, Webapp builder, WordPress Mobile app Builder, and Wp2android.

2.0.42 – 3/6/2017

  • Added data on vulnerabilities in CMS Commander Client and Zen Mobile App Native.

2.0.41 – 3/3/2017

  • Added vulnerabilities

2.0.40 – 2/13/2017

  • Added vulnerabilities

2.0.39 – 2/6/2017

  • Added vulnerabilities

2.0.38 – 1/30/2017

  • Added vulnerabilities

2.0.37 – 1/27/2017

  • Added vulnerabilities

2.0.36 – 1/26/2017

  • Added vulnerabilities

2.0.35 – 1/25/2017

  • Added vulnerabilities

2.0.34 – 1/9/2017

  • Added vulnerabilities

2.0.33 – 12/15/2016

  • Added vulnerabilities

2.0.32 – 12/12/2016

  • Added vulnerability

2.0.31 – 11/15/2016

  • Added vulnerability

2.0.30 – 11/8/2016

  • Added vulnerability

2.0.29 – 10/28/2016

  • Added vulnerabilities

2.0.28 – 10/24/2016

  • Added vulnerabilities

2.0.27 – 10/20/2016

  • Added vulnerabilities

2.0.26 – 10/14/2016

  • Added vulnerability

2.0.25 – 10/6/2016

  • Added vulnerabilities

2.0.24 – 10/3/2016

  • Added vulnerabilities

2.0.23 – 9/23/2016

  • Added vulnerabilities

2.0.22 – 9/19/2016

  • Added vulnerabilities
  • Added ability to see our estimate of the likelihood of a vulnerability being exploited, when using the companion service

2.0.21 – 8/29/2016

  • Added vulnerabilities
  • Added ability to see listing of false vulnerability reports to plugin’s page when using the companion service

2.0.20 – 8/15/2016

  • Added email alerts for vulnerabilities in plugins with exploit attempts (if you already have the plugin installed you will need to deactivate and then reactivate the plugin to turn these on)
  • Improved admin page UI
  • Added vulnerabilities

2.0.19 – 8/1/2016

  • Added vulnerabilities

2.0.18 – 7/18/2016

  • Added vulnerability

2.0.17 – 7/15/2016

  • Added additional vulnerabilities

2.0.16

  • Added additional vulnerabilities

2.0.15

  • Added additional vulnerabilities

2.0.14

  • Added additional vulnerabilities

2.0.13

  • Added additional vulnerabilities

2.0.12

  • Added additional vulnerabilities

2.0.11

  • Added additional vulnerabilities

2.0.10

  • Added additional vulnerabilities

2.0.9

  • Added additional vulnerabilities

2.0.8

  • Added additional vulnerabilities

2.0.7

  • Added additional vulnerabilities
  • Added vulnerability listings on plugin detail pages

2.0.6

  • Added additional vulnerabilities

2.0.5

  • Added developer advisories

2.0.4

  • Added additional vulnerabilities

2.0.3

  • Added additional vulnerabilities
  • Stopped unnecessary cron runs

2.0.2

  • Added additional vulnerabilities
  • Stopped unnecessary cron runs
  • Fixed issue causing some alerts to not be show on Installed Plugins page
  • Update for API response change

2.0.1

  • Added additional vulnerabilities

2.0

  • Reduced included vulnerabilities to ones that have frequently exploit attempts
  • Added capability to access Plugin Vulnerabilities service

1.0.34

  • Added 8 vulnerabilities

1.0.33

  • Added 6 vulnerabilities

1.0.32

  • Added 7 vulnerabilities

1.0.31

  • Added 11 vulnerabilities

1.0.30

  • Added 12 vulnerabilities

1.0.29

  • Added 7 vulnerabilities

1.0.28

  • Added 7 vulnerabilities

1.0.27

  • Added 8 vulnerabilities

1.0.26

  • Added 7 vulnerabilities

1.0.25

  • Added 16 vulnerabilities

1.0.24

  • Added 8 vulnerabilities

1.0.23

  • Added 8 vulnerabilities

1.0.22

  • Added 9 vulnerabilities

1.0.21

  • Added 8 vulnerabilities

1.0.20

  • Added 20 vulnerabilities

1.0.19

  • Added 8 vulnerabilities

1.0.18

  • Added 9 vulnerabilities

1.0.17

  • Added optional email alerts
  • Added 9 vulnerabilities

1.0.16

  • Added 9 vulnerabilities

1.0.15

  • Added 11 vulnerabilities

1.0.14

  • Added 6 vulnerabilities

1.0.13

  • Added 5 vulnerabilities

1.0.12

  • Added 11 vulnerabilities

1.0.11

  • Added 4 vulnerabilities

1.0.10

  • Added 7 vulnerabilities

1.0.9

  • Added 4 vulnerabilities

1.0.8

  • Added 6 vulnerabilities

1.0.7

  • Added 9 vulnerabilities

1.0.6

  • Added 17 vulnerabilities

1.0.5

  • Added 16 vulnerabilities

1.0.4

  • Added 14 vulnerabilities

1.0.3

  • Added 30 vulnerabilities

1.0.2

  • Added 8 vulnerabilities

1.0.1

  • Added 6 vulnerabilities

1.0

  • Initial release