May was a quiet month for security alerts from Sucuri. The only alert was around the wildly popular caching plugins, W3 Total Cache and WP Super Cache, which were both being targeted by some mfunc HTML comment exploits.
Packet Storm Coverage
- WordPress User Role Editor 3.12 Cross Site Request Forgery
- Spider Event Calendar 1.3.0 Cross Site Scripting / Path Disclosure / SQL Injection
- Spider Catalog 1.4.6 Cross Site Scripting / Path Disclosure / SQL Injection
- WordPress wp-FileManager File Download
- WordPress Newsletter 3.2.6 Cross Site Scripting
- WordPress Video JS Cross Site Scripting
- WordPress Search And Share 0.9.3 Cross Site Scripting
- WordPress Securimage 3.2.4 Cross Site Scripting
- WordPress Advanced XML Reader 0.3.4 XXE Injection
In what was a mild month at Packet Storm, there was nothign that really stood out as me as a high priority.
As always, make sure you’re running the latest version of your plugins. If you’re using a version of a plugin that is listed above, you should disable it and find another suitable plugin that has an author to keeps it updated and secure.