Plugin Vulnerabilities

Description

This plugin checks the plugins you have installed against a list of vulnerabilities in plugins that we have seen hackers trying to exploit. If the installed version of a plugin is vulnerable an alert is added to the Installed Plugins page and an email alert is sent, otherwise details of the vulnerabilities are included on the Plugin Vulnerabilities page.

This data can also be helpful when cleaning up a hacked website, as you want to determine how the website was hacked when doing that and this data may provide part of information needed to do that.

Since the vulnerability data for the plugin is included in the plugin, you will need to keep the plugin up to date to insure you have the latest data. You can use our Automatic Plugin Updates plugin to automatically update this plugin and your other installed plugins.

Sign Up For Our Plugin Vulnerabilities Service

You can get alerted for known vulnerabilities in all the plugins you use, not just ones that we already seeing evidence that hackers are targeting, when you sign up for our Plugin Vulnerabilities service. Through the service you also have access to a number of other important features including the ability to help to determine which plugins we will do security reviews of.

You can currently sign up for half off when you use the coupon code “HalfOff” when signing up. We include free lifetime subscription to the service when we do a WordPress Hack Cleanup.

Screenshots

  • Alert Shown on Installed Plugins Page For Vulnerability In Version of Plugin In Use

  • Full Listing of Vulnerabilities With Frequent Exploitation Attempts That Have Existed in Installed Plugins

  • Email Alert

FAQ

Where Does The Data Come From?

As part of data collection for our Plugin Vulnerabilities service we monitor a number of channels including our own websites, third party data on hacking attempts, and the WordPress support forums, for indications that hackers are targeting plugins. In many cases all we know based on that is that a plugin is being targeted, so we then will use our knowledge of previous vulnerabilities that hackers have targeted to find what a hacker may be targeting in the plugin.

Adding/Correcting Our Data

If you want to let us know of a missing exploited vulnerability or if we need to correct something in the listing for an included vulnerability, please contact us here. For missing vulnerabilities please include a link to the details of the vulnerability.

Getting More Complete Data

If you want to be warned about all vulnerabilities, not just that those that are already targeted by hackers you can sign up for our Plugin Vulnerabilities service.

Can the Plugin Cause False Positives with Other Security Scanners

This plugin determines if plugins are vulnerable based on the version of the plugin in use instead of trying to identify vulnerable code, so it will not cause false positives in other tools unless they are poorly made (which is true far too often).

Reviews

Not Impressed

Installed and tested this plugin out. Wasn’t really impressed with what it does. I guess it may be ok for some people but I feel like it’s a waste of resources to install this on my wordpress site, it doesn’t actively provide any protection, just tells me that something is bad.

Maybe it’s just the authors continued bashing of every competitor in the security industry that turns me off. Why isn’t the author doing more to help with the security community instead of bashing everyone? I briefly visited the blog related to the plugin – Just not a very professional company to deal with if you ask me.

Not of much use

While other security-oriented plugins do some active protection against potential exploits (at least try to) this one actually does not add much value, but rather just checks the list of installed plugins against the list of vulnerable plugins.

Vulnerable plugins list is included inside of the plugin. And it has only about 160 plugins – given that plugin’s repository now has abt. 50.000 plugins – this is not much.

Plugin does not recommend any action to prevent the vulnerability from being exploited. Just alerts that it exists.

So in the end: 1) The database of vulnerabilities is poor, 2) Plugin assumes you need to update it regularly manually to have the list of vulnerabilities, 3) If plugin finds a vulnerability the only action you can take from there is to read an article about vulnerability on author’s website. And order a paid service from them to clean up.

So basically all actions will still be manual.

The vulnerabilities included are taken from public sources. Which are updated in realtime unlike this plugin. So in the end of the day if you’re checking this manually it makes more sense to check the public sources.

As is, it is just an interface to match your plugins against known vulnerabilities which is not that useful.

I stopped testing and uninstalled the plugin.

Webshell inside?

https://www.virustotal.com/pt/file/cc4e378ceacbf793219692e167529eddb04a02fb9c4e5005eeb71ca48dceac49/analysis/1481926177/

Could Be Better

There are some issues with this plugin:

1) Since the plugin must be updated in order for it to detect vulnerabilities, and there haven’t been any new vulnerabilities added in nearly 4 months, this isn’t currently very useful as a security plugin.

2) Since users must update the plugin for it to be able to detect new vulnerabilities, chances are that they’ve already installed the security fix to the vulnerable plugin by the time this plugin informs them of the issue. Essentially, this plugin is redundant.

3) The plugin includes the list of vulnerabilities directly in the plugin files, which causes some hosting providers falsely to flag the plugin itself as malicious.

For now, I’m finding a combination of Wordfence and Plugin Security Scanner to be more effective, since they both run scans automatically on a daily basis and send email notifications if issues are found.

Among many other security features, Wordfence scans plugin files and compares them to the original versions from the official WordPress repository. It generates alerts if any plugins are out of date, and it shows the changes to the files so site admins can easily see whether they were manually done, or whether they are indeed malicious. It also checks for signatures of known malicious files, and scans file contents as well as the database for backdoors, trojans, and suspicious code.

As for Plugin Security Scanner, it determines whether any plugins have security vulnerabilities by looking up details in the WPScan Vulnerability Database. I think this is more effective than including the list of vulnerabilities directly in the plugin files, as this plugin does, since the onus isn’t on site admins to update the plugin each time new vulnerabilities are added, and since issues can be found faster thanks to daily automatic scans.

Should be built in to WordPress

This is an absolutely essential plugin which should be built in to WordPress itself frankly to warn people that the plugins they are using contain exploits.

I own a hosting company and much of our work is helping customers recover from hacked installs of WordPress, Joomla, Magento or whatever software they’ve installed years previously but never updated. WordPress, being used by apparently 25% of the world’s websites is a particular target.

I’m giving it 4/5 only because the signatures of each vulnerable plugin this tracks in the plugin’s /vulnerabilities/ folder do themselves trigger false positive reports in server side exploit tools such as the very commonly used cxs by ConfigServer.com. If those were stored in such a way that cxs wouldn’t report them then this gets 5/5.

Read all 15 reviews

Contributors & Developers

“Plugin Vulnerabilities” is open source software. The following people have contributed to this plugin.

Contributors

Changelog

2.0.54 – 12/15/2017

  • Added data on vulnerabilities in Membership Simplified, SendinBlue Subscribe Form And WP SMTP, and Work The Flow File Upload.

2.0.53 – 11/27/2017

  • Added data on vulnerability in PHP Event Calendar.

2.0.52 – 11/9/2017

  • Added data on vulnerabilities in Formidable Forms and Shortcodes Ultimate.

2.0.51 – 10/16/2017

  • Added data on vulnerability in Facebook Like Box.

2.0.50 – 10/9/2017

  • Added data on vulnerabilities in Brandfolder and mb.miniAudioPlayer.

2.0.49 – 10/4/2017

  • Added data on vulnerabilities in Appointments and Flickr Gallery.

2.0.48 – 9/11/2017

  • Added data on vulnerabilities in Display Widgets.

2.0.47 – 8/16/2017

  • Added data on vulnerabilities in Asgaros Forum and Social Sticky Animated.

2.0.46 – 6/8/2017

  • Added data on vulnerabilities in 1 Flash Gallery, Flutter, Image Symlinks, MiwoFTP, N-Media Repository Manager, and WP-CRM.
  • Added alert for vulnerability in current version on More Details pages when adding new plugins.

2.0.45 – 4/20/2017

  • Added data on vulnerability in WooCommerce Catalog Enquiry.

2.0.44 – 4/11/2017

  • Added data on vulnerabilities in Analytic and Lightbox Wp.

2.0.43 – 3/16/2017

  • Added data on vulnerabilities in How to Create an App for Android iPhone Easytouch, Webapp builder, WordPress Mobile app Builder, and Wp2android.

2.0.42 – 3/6/2017

  • Added data on vulnerabilities in CMS Commander Client and Zen Mobile App Native.

2.0.41 – 3/3/2017

  • Added vulnerabilities

2.0.40 – 2/13/2017

  • Added vulnerabilities

2.0.39 – 2/6/2017

  • Added vulnerabilities

2.0.38 – 1/30/2017

  • Added vulnerabilities

2.0.37 – 1/27/2017

  • Added vulnerabilities

2.0.36 – 1/26/2017

  • Added vulnerabilities

2.0.35 – 1/25/2017

  • Added vulnerabilities

2.0.34 – 1/9/2017

  • Added vulnerabilities

2.0.33 – 12/15/2016

  • Added vulnerabilities

2.0.32 – 12/12/2016

  • Added vulnerability

2.0.31 – 11/15/2016

  • Added vulnerability

2.0.30 – 11/8/2016

  • Added vulnerability

2.0.29 – 10/28/2016

  • Added vulnerabilities

2.0.28 – 10/24/2016

  • Added vulnerabilities

2.0.27 – 10/20/2016

  • Added vulnerabilities

2.0.26 – 10/14/2016

  • Added vulnerability

2.0.25 – 10/6/2016

  • Added vulnerabilities

2.0.24 – 10/3/2016

  • Added vulnerabilities

2.0.23 – 9/23/2016

  • Added vulnerabilities

2.0.22 – 9/19/2016

  • Added vulnerabilities
  • Added ability to see our estimate of the likelihood of a vulnerability being exploited, when using the companion service

2.0.21 – 8/29/2016

  • Added vulnerabilities
  • Added ability to see listing of false vulnerability reports to plugin’s page when using the companion service

2.0.20 – 8/15/2016

  • Added email alerts for vulnerabilities in plugins with exploit attempts (if you already have the plugin installed you will need to deactivate and then reactivate the plugin to turn these on)
  • Improved admin page UI
  • Added vulnerabilities

2.0.19 – 8/1/2016

  • Added vulnerabilities

2.0.18 – 7/18/2016

  • Added vulnerability

2.0.17 – 7/15/2016

  • Added additional vulnerabilities

2.0.16

  • Added additional vulnerabilities

2.0.15

  • Added additional vulnerabilities

2.0.14

  • Added additional vulnerabilities

2.0.13

  • Added additional vulnerabilities

2.0.12

  • Added additional vulnerabilities

2.0.11

  • Added additional vulnerabilities

2.0.10

  • Added additional vulnerabilities

2.0.9

  • Added additional vulnerabilities

2.0.8

  • Added additional vulnerabilities

2.0.7

  • Added additional vulnerabilities
  • Added vulnerability listings on plugin detail pages

2.0.6

  • Added additional vulnerabilities

2.0.5

  • Added developer advisories

2.0.4

  • Added additional vulnerabilities

2.0.3

  • Added additional vulnerabilities
  • Stopped unnecessary cron runs

2.0.2

  • Added additional vulnerabilities
  • Stopped unnecessary cron runs
  • Fixed issue causing some alerts to not be show on Installed Plugins page
  • Update for API response change

2.0.1

  • Added additional vulnerabilities

2.0

  • Reduced included vulnerabilities to ones that have frequently exploit attempts
  • Added capability to access Plugin Vulnerabilities service

1.0.34

  • Added 8 vulnerabilities

1.0.33

  • Added 6 vulnerabilities

1.0.32

  • Added 7 vulnerabilities

1.0.31

  • Added 11 vulnerabilities

1.0.30

  • Added 12 vulnerabilities

1.0.29

  • Added 7 vulnerabilities

1.0.28

  • Added 7 vulnerabilities

1.0.27

  • Added 8 vulnerabilities

1.0.26

  • Added 7 vulnerabilities

1.0.25

  • Added 16 vulnerabilities

1.0.24

  • Added 8 vulnerabilities

1.0.23

  • Added 8 vulnerabilities

1.0.22

  • Added 9 vulnerabilities

1.0.21

  • Added 8 vulnerabilities

1.0.20

  • Added 20 vulnerabilities

1.0.19

  • Added 8 vulnerabilities

1.0.18

  • Added 9 vulnerabilities

1.0.17

  • Added optional email alerts
  • Added 9 vulnerabilities

1.0.16

  • Added 9 vulnerabilities

1.0.15

  • Added 11 vulnerabilities

1.0.14

  • Added 6 vulnerabilities

1.0.13

  • Added 5 vulnerabilities

1.0.12

  • Added 11 vulnerabilities

1.0.11

  • Added 4 vulnerabilities

1.0.10

  • Added 7 vulnerabilities

1.0.9

  • Added 4 vulnerabilities

1.0.8

  • Added 6 vulnerabilities

1.0.7

  • Added 9 vulnerabilities

1.0.6

  • Added 17 vulnerabilities

1.0.5

  • Added 16 vulnerabilities

1.0.4

  • Added 14 vulnerabilities

1.0.3

  • Added 30 vulnerabilities

1.0.2

  • Added 8 vulnerabilities

1.0.1

  • Added 6 vulnerabilities

1.0

  • Initial release