Plugins WordPress piratés, dangereux & vulnérables

Avec plus de 47 000 plugins dans le référentiel WordPress officiel et des milliers d’autres disponibles sur divers marchés et sites, trouver ceux qui fonctionnent bien est une tâche ardue. Trouver des plugins WordPress sécurisés et qui ne mettent pas votre site en danger est une tâche encore plus ardue en raison de la nature complexe de la sécurité WordPress et de ses plugins volumineux avec des milliers de lignes de code.

Bien que nous ne puissions pas vous aider à éviter chaque mauvais plug-in, nous pouvons identifier ceux qui ont des vulnérabilités connues et des problèmes de sécurité confirmés. Sauf si vous savez ce que vous faites, que vous testez quelque chose sur une installation locale ou que vous utilisez la sécurité WordPress, vous ne devez pas utiliser les plugins dangereux répertoriés ci-dessous sur les sites de production. Les problèmes décrits dans le tableau ci-dessous sont bien connus et documentés, ce qui permet à toute personne mal intentionnée d’exploiter ces failles de sécurité et d’attaquer votre site.

Types de vulnérabilité

Un rappel rapide des failles et problèmes de sécurité les plus courants auxquels sont confrontés les plugins WordPress. Veuillez noter que la plupart des problèmes sont une combinaison de deux types ou plus énumérés ci-dessous.

Visualisation de fichier arbitraire
Au lieu d’autoriser uniquement l’affichage de certaines sources de fichiers (par exemple, des modèles de plug-in), l’absence de contrôles dans le code permet à l’attaquant de consulter la source de tout fichier, y compris ceux contenant des informations sensibles telles que wp-config.php.

Téléchargement de fichier arbitraire
L’absence de type de fichier et de filtrage du contenu permet le téléchargement de fichiers arbitraires pouvant contenir du code exécutable qui, une fois exécuté, peut faire à peu près n’importe quoi sur un site.

Escalade de privilèges
Une fois que l’attaquant a un compte sur le site, même s’il ne s’agit que du type abonné, il peut élever ses privilèges à un niveau supérieur, y compris celui des administrateurs.

Injection SQL
En évitant de filtrer et de filtrer les données qui entrent dans les requêtes SQL, du code malveillant peut être injecté dans les requêtes et les données supprimées, mises à jour ou insérées dans la base de données. C’est l’une des vulnérabilités les plus courantes.

Exécution de code à distance (RCE)
Au lieu de télécharger et d’exécuter du code malveillant, l’attaquant peut l’exécuter à partir d’un emplacement distant. Le code peut tout faire, du piratage du site à sa suppression complète.

List of hacked, dangerous & vulnerable WordPress plugins

Plugin NameVulnerability TypeMin / Max Versions Affected
1 Flash Galleryarbitrary file upload1.3.0 / 1.5.6
360 Product Rotationarbitrary file upload1.1.3 / 1.2.0
Tevolutionarbitrary file upload2.0 / 2.2.9
Addblockblockerarbitrary file upload0.0.1
Ads Widgetremote code execution (RCE)2.0 / n/a
Advanced Access Managerprivilege escalation3.0.4 / 3.2.1
Advanced Ajax Page Loaderarbitrary file upload2.5.7 / 2.7.6
Advanced Video Embed Embed Videos Or Playlistsarbitrary file viewingn/a / 1.0
Analyticremote code execution (RCE)1.8
Analytics CounterPHP object injection1.0.0 / 3.4.1
AppointmentsPHP object injection1.4.4 Beta / 2.2.0
Asgaros Forumsettings change1.0.0 / 1.5.7
Aspose Cloud Ebook Generatorarbitrary file viewing1.0
Aspose Doc Exporterarbitrary file viewing1.0
Aspose Importer Exporterarbitrary file viewing1.0
Aspose Pdf Exporterarbitrary file viewing1.0
Attachment Managerarbitrary file upload1.0.0 / 2.1.1
Auto Attachmentsarbitrary file upload0.2.7 / 0.3
Bbpress Like ButtonSQL injection1.0 / 1.5
Bepro Listingsarbitrary file upload2.0.54 / 2.2.0020
Blaze Slide Show For WordPressarbitrary file upload2.0 / 2.7
Brandfolderlocal file inclusion (LFI)2.3 / 3.0
Breadcrumbs Ezremote code execution (RCE)n/a
Candidate Application Formarbitrary file viewing1.0
Cardoza Facebook Like Boxarbitrary file upload2.8.9 / 2.9.1
Category Grid View Galleryarbitrary file upload0.1.0 / 0.1.1
Category Page Iconsrestricted file upload0.1 / 0.9.1
Cherry Pluginarbitrary file upload1.0 / 1.2.6
Chikuncountarbitrary file upload1.3
Cip4 Folder Download Widgetarbitrary file viewing1.4 / 1.10
Cms Commander ClientPHP object injection2.02 / 2.21
Contus Video Galleryarbitrary file viewing2.2 / 2.3
Cookie Euremote code execution (RCE)1.0
Cp Image Storearbitrary file viewing1.0.1 / 1.0.5
Cross Rssarbitrary file viewing0.5
Custom Content Type Managerremote code execution (RCE)0.9.8.8
Custom Lightboxpossible remote code execution (RCE)0.24
Cysteme Finderarbitrary file viewing1.1 / 1.3
Db Backuparbitrary file viewing1.0 / 4.5
Delete All Commentsarbitrary file upload2.0
Developer Toolsarbitrary file upload1.0.0 / 1.1.4
Disclosure Policy Pluginremote file inclusion (RFI)1.0
Display Widgetsremote code execution (RCE)2.6
Dop Sliderarbitrary file upload1.0
Download Zip Attachmentsarbitrary file viewing1
Downloads Managerarbitrary file upload1.0 Beta / 1.0 rc-1
Dp Thumbnailarbitrary file upload1.0
Dropbox BackupPHP object injection1.0 / 1.4.7.5
Dukapressarbitrary file viewing2.3.7 / 2.5.3
Duplicate Page And Postspam injection2.1.0 / 2.1.1
Ebook Downloadarbitrary file viewing1.1
Ecstaticarbitrary file upload0.90 (x9) / 0.9933
Ecwid Shopping CartPHP object injection3.4.4 / 4.4.3
Email Subscribersinformation disclosure1.2 / 3.4.7
Enable Google Analyticsremote code execution (RCE)n/a
Estatikarbitrary file upload1.0.0 / 2.2.5
Event Commerce Wp Event Calendarpersistent cross-site scripting (XSS)1.0
Filedownloadarbitrary file viewing0.1
Flickr GalleryPHP object injection1.2 / 1.5.2
Font Uploaderrestricted file upload1.0 / 1.2.4
Form Lightboxoption update1.1 / 2.1
Formidableinformation disclosure1.07.5 / 2.0.07
Fresh Pagearbitrary file upload.11 / 1.1
Front End Uploadarbitrary file upload0.3.0 / 0.5.3
Front File Managerarbitrary file upload0.1
Fs Real Estate PluginSQL injection1.1 / 2.06.03
G Translateremote code execution (RCE)1.0 / 1.3
Gallery ObjectsSQL injection0.2 / 0.4
Gallery Pluginrestricted file upload1.01 / 3.1
Gallery Sliderremote code execution (RCE)2.0 / 2.1
Genesis Simple Defaultsarbitrary file upload1.0.0
Gi Media Libraryarbitrary file viewing1.0.300 / 2.2.2
Google Analytics Analyzeremote code execution (RCE)1.0
Google Document EmbedderSQL injection2.5 / 2.5.16
Google Maps By Daniel Martynremote code execution (RCE)1.0
Google Mp3 Audio Playerarbitrary file viewing1.0.9 / 1.0.11
Grapefilearbitrary file upload1.0 / 1.1
Gravityformsreflected cross-site scripting (XSS)1.7 / 1.9.15.11
Hb Audio Gallery Litearbitrary file viewing1.0.0
Hd WebplayerSQL injection1.0 / 1.1
History Collectionarbitrary file viewing1.1. / 1.1.1
Html5avmanagerarbitrary file upload0.1.0 / 0.2.7
I Dump Iphone To WordPress Photo Uploaderarbitrary file upload1.1.3 / 1.8
Ibs Mapproarbitrary file viewing0.1 / 0.6
Image Exportarbitrary file viewing1.0.0 / 1.1.0
Image Symlinksarbitrary file upload0.5 / 0.8.2
Imdb Widgetarbitrary file viewing1.0.1 / 1.0.8
Inboundio Marketingarbitrary file upload1.0.0 / 2.0
Infusionsoftarbitrary file upload1.5.3 / 1.5.10
Inpost Gallerylocal file inclusion (LFI)2.0.9 / 2.1.2
Invit0rarbitrary file upload0.2 / 0.22
Ip Loggerarbitrary file upload2.6 / 3.0
Is Humanremote code execution (RCE)1.3.3 / 1.4.2
Iwp ClientPHP object injection0.1.4 / 1.6.0
Jssor Sliderarbitrary file upload1.0 / 1.3
Kingcomposerarbitrary file upload2.7 / 2.7.4
Like Dislike Counter For Posts Pages And CommentsSQL injection1.0 / 1.2.3
Mac Dock Galleryarbitrary file upload1.0 / 2.7
Magic Fieldsarbitrary file upload1.5 / 1.5.5
Mailchimp Integrationremote code execution (RCE)1.0.1 / 1.1
MailinSQL injection2.6.0 / 2.8.3
Mailpresslocal file inclusion (LFI)5.2 / 5.4.6
Mdc Youtube Downloaderarbitrary file viewing2.1.0
Membership Simplified For Oap Members Onlyarbitrary file viewingBeta 1.27 / Beta 1.58
Menu Imagemalicious JavaScript loading2.6.5 / 2.6.9
Miwoftparbitrary file viewing1.0.0 / 1.0.4
Mm Forms Communityarbitrary file upload1.0 / 2.2.6
Mobile App Builder By Wappressarbitrary file uploadn/a / 1.05
Mobile Friendly App Builder By Easytoucharbitrary file upload3.0
Multi Plugin Installerarbitrary file viewing1.0.0 / 1.1.0
Mypixslocal file inclusion (LFI)0.3
Newsletters LitePHP object injection4.0 / 4.6.8.5
Nmedia User File Uploaderarbitrary file upload1.8
Nofollow All External Linksspam injection2.1.0 / 2.3.0
Open Flash Chart Core WordPress Plugin0.2 / 0.4
Option Seoremote code execution (RCE)1.5
Page Google Mapsremote code execution (RCE)1.4
Party Hall Booking Management SystemSQL injection1.0 / 1.1
Paypal Currency Converter Basic For Woocommercearbitrary file viewing1.0 / 1.3
Php Analyticsarbitrary file uploadn/a
Php Event Calendararbitrary file upload1.5.8 / 1.6
Pica Photo Galleryarbitrary file viewing1.0
Pitchprintarbitrary file upload7.1 / 7.1.1
Plugin Newsletterarbitrary file viewing1.3 / 1.5
Post Gridfile deletion2.0.6 / 2.0.12
Posts In Pageauthenticated local file inclusion (LFI)1.0.0 / 1.2.4
Pretty Linkauthenticated short link creation2.0.0 / 2.1.2
Really Simple Guest Postlocal file inclusion (LFI)1.0.1 / 1.0.6
Recent Backupsarbitrary file viewing0.1 / 0.7
Reflex Galleryarbitrary file upload1.0 / 3.0
Resume Submissions Job Postingsarbitrary file upload2.0 / 2.5.3
Return To Topremote code execution (RCE)1.8 / 5.0
Revsliderarbitrary file viewing1.0 / 4.1.4
S3bubble Amazon S3 Html 5 Video With Advertsarbitrary file viewing0.5 / 0.7
Sam Pro Freelocal file inclusion (LFI)1.4.1.23 / 1.9.6.67
Se Html5 Album Audio Playerarbitrary file viewing1.0.8 / 1.1.0
Sell Downloadsarbitrary file viewing1.0.1
Seo Keyword Pageremote code execution (RCE)2.0.5
Seo Spy Google WordPress Pluginarbitrary file upload2.0 / 2.6
Seo Watcherarbitrary file upload1.3.2 / 1.3.3
Sexy Contact Formarbitrary file upload0.9.1 / 0.9.8
Sfwd Lmsarbitrary file upload1.3.6 / 2.5.3
Share Buttons Wpremote code execution (RCE)1.0
Sharexyrestricted file upload4.0 / 4.2.2
Shortcodes Ultimateauthenticated remote code execution (RCE)4.5.0 / 5.0.0
Showbizarbitrary file viewing1.0 / 1.5.2
Simple Ads Managerinformation disclosure2.0.73 / 2.7.101
Simple Download Button Shortcodearbitrary file viewing1.0
Simple Dropbox Upload Formarbitrary file upload1.8.6 / 1.8.8
Simple Image Manipulatorarbitrary file viewing1.0
Simplr Registration Formprivilege escalation2.2.0 / 2.4.3
Site Editorlocal file inclusion (LFI)1.0.0 / 1.1.1
Site Importremote page inclusion1.0.0 / 1.2.0
Slide Show Proarbitrary file upload2.0 / 2.4
Smart Google Code Inserterpersistent cross-site scripting (XSS)1.0 / 3.4
Smart Slide Showarbitrary file upload2.0 / 2.4
Smart Videosremote code execution (RCE)1.0
Social Networking E Commerce 1arbitrary file upload0.0.32
Social Sharingpossible arbitrary file upload1.0
Social Sticky Animatedremote code execution (RCE)1.0
Spamtaskarbitrary file upload1.3 / 1.3.6
Spicy Blogrolllocal file inclusion (LFI)0.1 / 1.0.0
Spotlightyourarbitrary file upload1.0 / 4.5
Stats CounterPHP object injection1.0 / 1.2.2.5
Stats Wpremote code execution (RCE)1.8
Store Locator Leunrestricted email sending2.6 / 4.2.56
Table MakerPHP object injection through SQL injection1.4 / 1.6
Taxonomy Terms Orderauthenticated PHP object injection1.2.4 / 1.5.2.2
Tera Chartsreflected cross-site scripting (XSS)0.1 / 1.0
The Viddler WordPress Plugincross-site request forgery (CSRF)/cross-site scripting (XSS)1.2.3 / 2.0.0
Thecartpresslocal file inclusion (LFI)1.1.0 / 1.1.5
Tinymce Thumbnail Galleryarbitrary file viewingv1.0.4 / v1.0.7
Ultimate Memberarbitrary file upload2.0.4 / 2.0.21
Ultimate Product Cataloguearbitrary file upload1.0 / 3.1.1
Ungalleryarbitrary file viewing0.8 / 1.5.8
User Filesarbitrary file upload2.0 / 2.4.2
User Role Editorprivilege escalation4.19 / 4.24
Web Tripwirearbitrary file upload0.1.2
Webapp Builderarbitrary file upload2.0
Website Contact Form With File Uploadarbitrary file upload1.1 / 1.3.4
Weever Apps 20 Mobile Web Appsarbitrary file upload3.0.25 / 3.1.6
Woocommerce Catalog Enquiryarbitrary file upload2.3.3 / 3.0.0
Woocommerce Product Addonarbitrary file upload1.0 / 1.1
Woocommerce Products Filterauthenticated persistent cross-site scripting (XSS)1.1.4 / 1.1.4.2
Woopraarbitrary file upload1.4.1 / 1.4.3.1
WordPress File Monitorpersistent cross-site scripting (XSS)2.0 / 2.3.3
Work The Flow File Uploadarbitrary file upload0.1.6 / 2.5.2
Wp Appointment Schedule Booking Systempersistent cross-site scripting (XSS)1.0
Wp Business Intelligence Litearbitrary file upload1.0 / 1.0.7
Wp Crmarbitrary file upload0.15 / 0.31.0
Wp Custom Pagearbitrary file viewing0.5 / 0.5.0.1
Wp Dreamworkgalleryarbitrary file upload2.0 / 2.3
Wp Easybookingreflected cross-site scripting (XSS)1.0.0 / 1.0.3
Wp Easycartauthenticated arbitrary file upload1.1.27 / 3.0.8
Wp Ecommerce Shop Stylingauthenticated arbitrary file viewing1.0 / 2.5
Wp Editorauthenticated arbitrary file upload1.0.2 / 1.2.5.3
Wp Filemanagerarbitrary file viewing1.2.8 / 1.3.0 / 6.0-6.8
Wp Flipslideshowpersistent cross-site scripting (XSS)2.0 / 2.2
Wp Front End Repositoryarbitrary file upload1.0.0 / 1.1
Wp Google Drivearbitrary file deletion2.0 / 2.2
Wp Handy Lightboxremote code execution (RCE)1.4.5
Wp Homepage Slideshowarbitrary file upload2.0 / 2.3
Wp Image News Sliderarbitrary file upload3.0 / 3.5
Wp Js External Link Infoopen redirect (after interstitial)1.0 / 1.21
Wp Levoslideshowarbitrary file upload2.0 / 2.3
Wp Miniaudioplayerarbitrary file viewing0.5 / 1.2.7
Wp Mobile Detectorauthenticated persistent cross-site scripting (XSS)3.0 / 3.2
Wp Monarbitrary file viewing0.5 / 0.5.1
Wp Noexternallinksspam injection4.2.0 / 4.2.2
Wp Online Storearbitrary file viewing1.2.5 / 1.3.1
Wp Piwikpersistent cross-site scripting (XSS)0.10.0.1 / 1.0.10
Wp Popupremote code execution (RCE)2.0.0 / 2.1
Wp Post Frontendarbitrary file upload1.0
Wp Propertyarbitrary file upload1.20.0 / 1.35.0
Wp Quick Booking Managerpersistent cross-site scripting (XSS)1.0 / 1.1
Wp Royal Gallerypersistent cross-site scripting (XSS)2.0 / 2.3
Wp Seo Spy Googlearbitrary file upload3.0 / 3.1
Wp Simple Cartarbitrary file upload0.9.0 / 1.0.15
Wp Slimstat Exarbitrary file upload2.1 / 2.1.2
Wp Superb Slideshowarbitrary file upload2.0 / 2.4
Wp Support Plus Responsive Ticket Systemarbitrary file viewing1.0 / 4.1
Wp Swimteamarbitrary file viewing1 / 1.44.1077
Wp Symposiumarbitrary file upload13.04 / 14.11
Wp Vertical Galleryarbitrary file upload2.0 / 2.3
Wp Yasslideshowarbitrary file upload3.0 / 3.4
Wp2android Turn Wp Site Into Android Apparbitrary file upload1.1.4
Wpeasystatslocal file inclusion (LFI)1.8
Wpmarketplacearbitrary file viewing2.2.0 / 2.4.0
Wpshoparbitrary file upload1.3.1.6 / 1.3.9.5
Wpstorecartarbitrary file upload2.0.0 / 2.5.29
Wptf Image Galleryarbitrary file viewing1.0.1 / 1.0.3
Wsecureremote code execution (RCE)2.3
Wysija Newslettersarbitrary file upload1.1 / 2.6.7
Xdata Toolkitarbitrary file upload1.6 / 1.9
Zen Mobile App Nativearbitrary file upload3.0
Zingiri Web Shoparbitrary file upload2.3.6 / 2.4.3
Zip Attachmentsarbitrary file viewing1.0 / 1.4

… Lire la suite : https://firstsiteguide.com/tools/free-fsg/hacked-dangerous-vulnerable-wordpress-plugins/

Sources

The list of latest dangerous and vulnerable WordPress plugins is compiled from various sources including:

Autres liens utiles :