BlogSecurity’s WordPress BlogWatch gives you a central location to check out the latest WordPress Vulnerabilities. In the future, I hope to incorporate this information into a WordPress plugin and alerting system. Please check back often for updates.
If you see a vulnerability that we have not listed, please let us know via our Contact Form, thank you in advance.
Latest WordPress Version
The latest WordPress download is available here.
WordPress Vulnerabilities
| Versions Affected | Details | Risk |
| WordPress = 2.3 | XSS injection in edit-post-rows.php, needs register_globals on (More) | MEDIUM |
| WordPress <= 2.3 | Unregistered can add Links to Blogroll (More) | LOW |
| WordPress <= 2.2.2 and WordPress MU <= 1.2.4 | Remote SQL Injection in xmlrpc.php (More) | HIGH |
| WordPress <= 2.2.2 | User can post arbitrary HTML without needed rights (More) | MEDIUM |
| WordPress <= 2.2.1 | Redirection Vulnerability in wp-pass.php (More) | MEDIUM |
| WordPress <= 2.2 and WordPress MU <= 1.2.2 | Arbitrary File Upload (More) | HIGH |
| WordPress <= 2.2 | Remote shell injection in PHPMailer (More) | HIGH |
| WordPress <= 2.2 | Unauthorised Comments Disclosure (more) | LOW |
| WordPress <= 2.2 | xmlrpc.php authenticated SQL Injection (more) | MEDIUM |
| WordPress <= 2.1.3 | admin-ajax.php SQL Injection (more) | HIGH |
| WordPress <= 2.1.3 | Akismet XSS (more) | HIGH |
| WordPress <= 2.1.2 | PHP_SELF XSS (more) | HIGH |
| WordPress <= 2.1.2 | XMLRPC SQL Injection (more) | HIGH |
| WordPress 2.1.1 | Backdoored Version (more) | HIGH |
| WordPress <= 2.1.0 | Comments XSS (more) | HIGH |
| WordPress <= 2.0.7 | Templates.php XSS (more) | HIGH |
| WordPress <= 2.0.6 | wp-trackback.php SQL Injection (more) | HIGH |
| WordPress <= 2.0.5 | Template CSRF Vulnerability (more) | HIGH |
| WordPress <= 2.0.3 | wp_register XSS through user_email parameter (more) | MEDIUM |
| WordPress <= 2.0.2 | cache_file php injection (more) | HIGH |
| WordPress <= 2.0.0 | wp_register XSS through user_login parameter (more) | MEDIUM |
| WordPress <= 1.5.1.3 | Command Execution (more) | HIGH |
| WordPress <= 1.2.2 | Multiple XSS, SQL Injection (more) | HIGH |
WordPress Plugin Vulnerabilities
| Versions Affected | Details | Fixed Version | Risk |
| WordSpew <= 3.72 | SQL Injection Vulnerability (more) | WordSpew 3.72 | HIGH |
| BackupWordpress <0.4.3 | Remote File Inclusion (more) | BackupWordPress 0.4.3 | HIGH |
| FeedSmith <= 2.2 | CSRF possible (more) | FeedSmith 2.3 | HIGH |
| wp-feedstats < WordPress 2.4 | Persistent XSS Vulnerability (more) | wp-feedstats 2.4 | HIGH |
| wp-db-backup < WordPress 2.0.4 | Directory Traversal Vulnerability (more) | WordPress > 2.0.5 | HIGH |
| wp-pagenavi < 2.11 | XSS Vulnerability (more) | 2.11 | HIGH |
| WP-Stats < 2.01 | SQL Injection Vulnerability (more) | 2.01 | HIGH |
| WordPress Democracy <= 2.0 | XSS Vulnerability (more) | 2.0.1 | HIGH |
| WordPress myFlash <= 1.00 | Remote File Include(more) | None found | HIGH |
| WordPress myGallery <= 1.4b4 | Remote File Include (more) | 1.4b7 | HIGH |
| WordPress wordTube <= 1.43 | wpPATH Remote File Inclusion (more) | 1.44 | HIGH |
| WordPress wp-Table <= 1.43 | Remote File Include (more) | 1.45 | HIGH |
Comments
[...] updated their site with a list of known vulnerabilities in each version of Wordpress and some popular plugins. I appreciate this list, and hope it’s regularly updated - knowing [...]
[...] wrote about BlogSecurity the other day, and they’re now posting updates on WordPress security issues. While I’m certain that there are other sites doing this, I just wanted to include the [...]
[...] WordPress BlogWatch has been updated to reflect this finding. [...]
[...] wordTube <= 1.43 is listed on BlogSecurity’s dangerous WordPress software list "BlogWatch". This wp-plugin is vulnerable to a File Include Vulnerability, this means an attacker can [...]
[...] BlogWatch was updated with this vulnerability and classified as a Medium Risk issue. [...]
[...] BlogWatch Updated | News, WordPress | BlogSecurity’s WordPress BlogWatch gives you a central location to check out the latest WordPress [...]
[...] meinen Recherchen bin ich auf die Seite BlogSecurity gestoßen, auf der es neben aktuellen Schwachstellen auch einen WordPress Vulnerability Scanner gibt, mit dem man Schwachstellen im Blog auswerten [...]
[...] was defaced yesterday due to running an older version of the popular myGallery plugin. BlogWatch was referenced in his article, as we have displayed the myGallery vulnerability on WordPress [...]
[...] Liste bekannter Sicherheitslücken in WordPress und Plugins findet ihr im übrigen bei BlogSecurity. Sollte m.E. in keinem Feedreader fehlen. Tags: aktuelles , Defacement , Security , wordpress [...]
[...] BlogWatch has been updated with this vulnerability. [...]
[...] der Seite von BlogSecurity gibt es mit Blogwatch neben milw0rm -> wordpress ebenfalls hilfreiche Hinweise zu Sicherheitslücken in Wordpress und [...]
Would be great to be able to subscribe to the updates of this post somehow. Is there a way?
Mikael, we usually do release an update post on the main blog when it has been updated. So if you subscribe to our main feed you’ll know. Thanks.
Hi, I am the author for pagenavi, but the more link is linked to the readme.html instead of the security issue.
GamerZ, if you send me the link to the latest version I’ll make the correction. Thanks.
[...] WP Sicherheitslücken Eine gute zusammenfassung aller aktuell bekannten Sicherheitslücken von Wordpress und Plugins. [...]
[...] been a quiet couple of weeks for WordPress vulnerability disclosure. In fact, according to WordPress BlogWatch WP 2.2.3 and Dexter remain vulnerability free - of course, this does not include themes and [...]
[...] his internet for a day so I could sort out the mess - in short… I was using old versions of Wordpress that had vulnerabilities. A very bad idea as these vulnerabilities were being abused by someone or something which caused my [...]
[...] WP BlogWatch [...]
[...] ולבסוף נעיין ברשימת חורים באבטחה והתראות לגרסאות וורדפרס שונות: WordPress BlogWatch [...]
[...] upgrades seriously — Check this list, and if your WordPress version is one of these with known vulnerabilities, or if you are using [...]
[...] other hackings, I was stunned to discover that there are over a dozen versions of WordPress with known vulnerabilities. With an estimated 2 to 3 million blogs using WordPress, that means a lot of blogs potentially at [...]
[...] BlogSecurity » Blog Archive » WordPress BlogWatch BlogSecurity’s WordPress BlogWatch gives you a central location to check out the latest WordPress Vulnerabilities. In the future, I hope to incorporate this information into a WordPress plugin and alerting system (tags: blog Security wordpress) [...]
[...] Auf der Seite blogsecurity.net wird regelmässig über neue Lücken berichtet. Die Seite bietet Tools wie den WP-Scanner, mit denen man die Sicherheit der eigenen Installation checken kann und Anleitungen, wie man sein Blog und die php-Einstellungen abdichten kann, sowie eine Liste der Sicherheitslücken in den verschiedenen WP-Versionen. [...]
Wird diese Liste immer noch aktualisiert? Die letzten WP2.5-Meldungen finde ich hier noch nicht wieder… Gibt es eine entsprechende Liste irgendwo in Codex? Danke.
Hallo Tobias, die Liste wird im Moment nicht aktualisiert. Wird jedoch in kürze durch einen neuen Service ersetzt, welche dann auch die aktuellsten Sicherheitslücken listet und mehr Funktionen bietet.
[...] ^ BlogSecurity » Blog Archive » WordPress BlogWatch [...]
[...] I’ve now disabled xmlrpc.php, but anyone using WordPress should be aware that there are lots of exploits some of which are still unresolved, and should lock down their installation accordingly. Naturally [...]
What about a Wordpress plugin that was able to query both this site and its local Wordpress installation ?
If any new vulnerabilities become listed, then it could report specifically which parts of your Wordpress should be deactivated / upgraded ?
James, great feedback. We were working on something like this its kinda gone dead. I’ll check with the guys.
-
Search site:
-
-
Sponsors
Additional WP Resources
