Tuesday, February 20, 2018

The Top 50 Most Attacked WordPress Plugins Making Your Site Vulnerable to Hackers

The Top 50 Most Attacked WordPress Plugins Making Your Site Vulnerable to Hackers

Do you run a WordPress site? How aware are you of the vulnerabilities of your site to plugin attacks and hackers?

The WordPress Plugin Directory helps bloggers and website owners rid themselves of static pages and build intuitive user interfaces, all without the need to learn complex coding and website development skills.

However, given the open source and somewhat unregulated nature of the plugin directory, it presents potential security risks.

One study revealed that almost 98% of WordPress blogs were easily exploited because they were running outdated versions of the software, or outdated plugins.

The dark side of the WordPress Plugin

An inspection into some of the top WordPress plugins found that a considerable number of the top 50 WordPress plugins were exposed to the possibility of being attacked via SQL injection and XSS. And, a separate inspection conducted for the top 10 eCommerce plugins found that 7 of them contained vulnerabilities.

This post will highlight the 50 most attacked WordPress Plugins in 2017. The report will showcase:

  • The number of total attacks. This will determine the total number of attacks that were reported by the particular plugin.
  • The type of the attack. This will reflect the “Location File Inclusion” (LFI) attack that allows exploiters to download any file they want, or the “Unrestricted File Upload” that allows exploiters to upload a “shell” that gives them full remote access to target the site.
  • The exploit database link. This will determine the language used by the penetration testers and vulnerability researchers.
  • The WordPress plugin website.This will provide you details and information about the plugin and a link to download.

If you use any of these attacked WordPress plugins on your website, you may want to look into ways to improve your security.

#1. BackUpWordPress (Backup for your website)

Total attacks: 2,159,725

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37752/

Website link: https://wordpress.org/plugins/backupwordpress/

#2. WP Symposium Pro (Social-networking plugin)

Total attacks: 2,517,975

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/35543/

Website link: https://wordpress.org/plugins/wp-symposium-pro/

#3. WPTF Image Gallery (Modern photo gallery)

Total attacks: 2,164,929

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37751/

Website link: https://wpcore.com/plugin/wptf-image-gallery

#4. Google MP3 Audio Player (Audio Files)

Total attacks: 128,622

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/35460/

Website link: https://wordpress.org/plugins/search/google-mp3-audio-player/

#5. WP-DB-Backup (Automated backup collection to email)

Total attacks: 148,661

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/35378/

Website link: https://wordpress.org/plugins/wp-db-backup/

#6. WooCommerce Extra Product Options (Enhanced product options)

Total attacks: 1,011,602

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39421/

Website link: https://wordpress.org/plugins/woo-extra-product-options/

#7. WP e-Commerce Shop Styling (E-commerce store improvements)

Total attacks: 2,137,509

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37530/

Website link: https://wordpress.org/plugins/wp-ecommerce-shop-styling/

#8. Candidate Application Form (Vacancy adverts management)

Total attacks: 2,158,179

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37754/

Website link: https://wordpress.org/plugins/wp-candidate-application-form/

#9. WP Mobile Detect (Maintain responsive integrity)

Total attacks: 5,174,567

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/39891/

Website link: https://wordpress.org/plugins/wp-mobile-detect/

#10. WP-PageNavi (Flexible page linking)

Total attacks: 276,883

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/32622/

Website link: https://wordpress.org/plugins/wp-pagenavi/

#11. Newsletter (List building)

Total attacks: 124858

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19018/

Website link: https://wordpress.org/plugins/newsletter/

#12. Google Photos Gallery (Manage and stack photos in categories)

Total attacks: 136,833

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19055/

Website link: https://wordpress.org/plugins/google-picasa-albums-viewer/

#13. Tinymce Thumbnail Gallery (Thumbnail image gallery)

Total attacks: 133,348

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19022/

Website link: https://wordpress.org/plugins/tinymce-thumbnail-gallery/

#14. DukaPress (Online store builder)

Total attacks: 135,206

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/35346/

Website link: https://wordpress.org/plugins/dukapress/

#15. WP File Manager (File manager)

Total attacks: 146,480

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/25440/

Website link: https://wordpress.org/plugins/wp-file-manager/

#16. History Collection (Save and track history)

Total attacks: 140,769

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37254/

Website link: https://wordpress.org/plugins/search/history-collection/

#17. HTML5 Video Player and Advertising (Video management system)

Total attacks: 142,925

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37254/

Website link: https://codecanyon.net/item/html5-video-player-advertising-wp-plugin/7851635

#18. Document Management System (Organize, share and secure documents)

Total attacks: 134,482

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36576/

Website link: https://wordpress.org/plugins/dms/

#19. JQuery HTML5 File Upload (Easy file uploads)

Total attacks: 1,058,754

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36640/

Website link: https://wordpress.org/plugins/search/jquery-html5-file-upload/

#20. MDC YouTube Downloader (Insert video to posts)

Total attacks: 129,015

Type: LFI

Exploit database: Not available

Website link: https://wordpress.org/plugins/mdc-youtube-downloader/

#21. PayPal Currency Converter (Payment gateway integration)

Total attacks: 131,075

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37253/

Website link: https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/

#22. Really Simple Guest Post (Create and manage posts)

Total attacks: 340,145

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37209/

Website link: https://wordpress.org/plugins/search/really-simple-guest-post/

#23. WP Rocket (Powerful caching plugin)

Total attacks: 694,115

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37074/

Website link: https://wordpress.org/plugins/tags/wp-rocket/

#24. Aspose Cloud eBook Generator (Create eBooks)

Total attacks: 144,725

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39575/

Website link: https://wordpress.org/plugins/aspose-cloud-ebook-generator/

#25. IBS Mappro (Map creator, editor and view generator)

Total attacks: 150,498

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/18989/

Website link: https://wordpress.org/plugins/ibs-mappro/

#26. WP SwimTeam (Swim league management system)

Total attacks: 441,445

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37601/

Website link: https://wordpress.org/plugins/wp-swimteam/

#27. ZoomSounds (Audio files and playlist manager)

Total attacks: 413,237

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37166/

Website link: http://digitalzoomstudio.net/docs/zoomsounds/

#28. Simple Download Button Shortcode (Download manager)

Total attacks: 369,066

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19020/

Website link: https://wordpress.org/plugins/search/simple-download-button-shortcode/

#29. Image Export (Attachment exporter)

Total attacks: 298,841

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39584/

Website link: https://wordpress.org/plugins/wp-attachment-export/

#30. Sell Downloads (Sell downloaded files)

Total attacks: 470,510

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/38868/

Website link: https://wordpress.org/plugins/sell-downloads/

#31. TheCartPress (Shopping cart enhancer)

Total attacks: 435,271

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/38869/

Website link: https://wordpress.org/plugins/thecartpress/

#32. Advance Uploader (Upload large files)

Total attacks: 432,619

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/38867/

Website link: https://wordpress.org/plugins/advanced-uploader/

#33. FileDownload (Manage, track, and control file downloads)

Total attacks: 350,875

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/30443/

Website link: https://wordpress.org/plugins/download-manager/

#34. Ajax Store Locator (Store location management system)

Total attacks: 339,801

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36777/

Website link: https://wordpress.org/plugins/search/ajax+store/

#35. Brandfolder (Press kit management)

Total attacks: 330,113

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39591/

Website link: https://wordpress.org/plugins/brandfolder/

#36. Frontend Uploader (Easy content submission)

Total attacks: 215,921

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/31570/

Website link: https://wordpress.org/plugins/frontend-uploader/

#37. Peugeot Music Plugin (Music library management)

Total attacks: 211,274

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36802/

Website link: https://pluginu.com/peugeot-music-plugin/

#38. Malapascua Agency* (Agency website management)

Total attacks: 207,877

Type: LFI

Exploit database: Not available

Website link: Not available

#39. The Viddler (Video responsive)

Total attacks: 204,447

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39646/

Website link: https://wordpress.org/plugins/search/the-viddler-wordpress-plugin/

#40. WP Post Frontend (Website post and profile management)

Total attacks: 203,197

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/39422/

Website link: https://wordpress.org/plugins/frontier-post/

#41. FormCraft (Custom form creator)

Total attacks: 201,984

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/30002/

Website link: https://wordpress.org/plugins/formcraft-form-builder/

#42. Simple Ads Manager (Ad optimizer)

Total attacks: 199,230

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36614/

Website link: https://wordpress.org/plugins/search/simple-ads-manager/

#43. WP EasyCart (Shopping cart extension)

Total attacks: 207,554

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/38160/

Website link: https://wordpress.org/plugins/wp-easycart/

#44. ReFlex Gallery (Multiple galleries for mobile)

Total attacks: 137,260

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36374/

Website link: https://wordpress.org/plugins/reflex-gallery/

#45. ACF Frontend Display (Website development)

Total attacks: 701,963

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37514/

Website link: https://wordpress.org/plugins/acf-frontend-display-by-catsplugins/

#46. Work The Flow File Upload (File upload capabilities)

Total attacks: 670,824

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36640/

Website link: https://wordpress.org/plugins/work-the-flow-file-upload/

#47. WP Shop (eCommerce site developer)

Total attacks: 111,546

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37530/

Website link: https://en-au.wordpress.org/plugins/wp-shop-original/

#48. Pretty Rev Slider (Custom slider installation)

Total attacks: 145,626

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36957/

Website link: https://wordpress.org/plugins/pretty-rev-slider/

#49. Inboundio Marketing (Website details management)

Total attacks: 112,696

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36478/

Website link: http://www.inboundio.com/

#50. eBook Download

Total attacks: 89,640

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39575/

Website link: https://wordpress.org/plugins/search/ebook/

Please note:

*The Malapascua Agency plugin in the list does not exist in the current version of the plugin. However, IMPress Agents a WordPress compatible plugin is helping business owners with flexible solutions to build and manage their multiple agency website needs.

If you use any of the above plugins, ensure you upgrade to the latest version, and adopt Wordfence with Firewall enabled to protect your WordPress sites from unexpected brute force attacks in the future.

Good luck!

Guest Author: Anil Parmar is the co-founder of Glorywebs that specializes in WordPress web development services, web design & development, digital marketing and more. Themes & plugins we develop have a common # 1 goal: Keeping it as simple as possible for technical & non tech geeks. Follow him on Twitter @abparmar99 & say Hi

The post The Top 50 Most Attacked WordPress Plugins Making Your Site Vulnerable to Hackers appeared first on Jeffbullas’s Blog.


Read Full Article: http://bathseoexpert.tumblr.com/post/171092229006

No comments:

Post a Comment