ALERT:150 XSS AUG 2021 – Cross-Site Scripting AUG 2021 Blast

XSS AUG 2021 – Cross-Site Scripting AUG 2021

Managed WordPress Security Report

Be informed about the latest Cross-Site Scripting AUG 2021, identified and reported publicly. As these XSS AUG 2021 vulnerabilities have a severe negative impact on any WordPress Security, consider our FREE security AUDIT.

An estimated jaw-dropping 2.596.000+ active WordPress installations are susceptible to this attack type, considering only the publicly available numbers. The estimated number can increase by 20-25% with premium versions as they are private purchases.

Furthermore, the initial estimation can triple if we consider (1) the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain; and (2) the closed “uncounted” versions remain active on domains already running the plugins, as nobody is maintaining security. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind new / protected areas, possibly exposing other clean WP to different attack types.

It is a mind-boggling 1264% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: ALERT: 77 XSS JUL 2021 – Cross-Site Scripting JUL 2021 Blast and 11 XSS – Cross-Site Scripting – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the XSS AUG 2021 category:

---

• Ad Blocker Notify Lite – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• AMP extensions – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Aoi Tori – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Awesome Support – WordPress HelpDesk & Support Plugin – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Catchers Helpdesk and Ticket system for Support – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Bootstrap Categories Gallery – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Woocommerce Categories in gallery format – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• WordPress Form Customizer | CF7 Customizer – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• ClinicalWP Core – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Custom Scrollbar Designer – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Custom Text Selection Colors – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Disable Image Right Click – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Easy Gallery Slideshow – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Easy Google Map – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Easy Justified Gallery – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Share Posts To Email – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Exit Popup Show – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Flight Search Widget and Blocks – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• ICustomizer – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Live Chat for Fanpage – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Media Mirror – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Popup Modal For Youtube – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Project2App – Turn Your WordPress Site into an Android App – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Seatgeek Affiliate Tickets – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• SEO-Dashboard by gutewebsites.de – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Share Woocommerce to Email – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Stars Menu – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• tcS3 – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Total Sales For Woocommerce – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Venture Event Manager – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• WebHotelier for WordPress – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Product Limited Time Availability Date for woocommerce – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• Кнопка Яндекс Денег – Reflected Cross-Site Scripting (XSS)
  • No Known Fix. Use it at your own risk!

---

• 4k Icon Fonts For Visual Composer – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed and is no longer available for download.

---

• 4k Icon Fonts For Visual Composer – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed and is no longer available for download.

---

• Affiliate Pro – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed and is no longer available for download.

---

• Betteroptin – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed and is no longer available for download.

---

• Border Loading Bar – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of September 7, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Cool Facebook Page Feed Timeline – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of July 15, 2019 and is not available for download. This closure is permanent. Reason: Author Request.

---

• Icons With Links Widget – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of July 5, 2022 and is not available for download. Reason: Security Issue.

---

• Simple Behace Portfolio – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Sticky Related Posts – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of January 28, 2022 and is not available for download. This closure is permanent. Reason: Author Request.

---

• TR Easy Google Analytics – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of October 23, 2018 and is not available for download. Reason: Guideline Violation.

---

• Woo Whatsapp Request Quote – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of September 25, 2019 and is not available for download. Reason: Licensing/Trademark Violation.

---

• Woosaleskit Bar – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of May 2, 2019 and is not available for download. Reason: Guideline Violation.

---

• Securimage-WP-Fixed – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of August 9, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• MF Gig Calendar – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of July 9, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Blue Admin – CSRF to Stored Cross-Site Scripting (XSS)
  • This plugin has been closed as of May 28, 2022 and is not available for download. Reason: Security Issue.

---

• Youtube Feeder – CSRF to Stored XSS
  • This plugin has been closed as of July 29, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Nifty Newsletters – CSRF to Stored XSS
  • This plugin has been closed as of July 29, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Keywords & Meta – CSRF to Stored Cross-Site Scripting (XSS)
  • This plugin has been closed as of June 2, 2022 and is not available for download. Reason: Security Issue.

---

• SEO Backlinks – CSRF to Stored XSS
  • This plugin has been closed as of July 23, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Post Index – CSRF to Stored XSS
  • This plugin has been closed as of July 20, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Email Artillery – Multiple Authenticated SQL Injections
• Email Artillery – Multiple Reflected Cross-Site Scripting
• Email Artillery – CSRF to Stored XSS
• Email Artillery – Arbitrary File Upload
• Email Artillery – Multiple Authenticated SQL Injections
  • This plugin has been closed as of June 28, 2022 and is not available for download. Reason: Security Issue.

---

• Per Page Add to Head – Authenticated Stored XSS
• Per Page Add to Head – CSRF to Stored XSS
  • This plugin has been closed as of June 7, 2022 and is not available for download. Reason: Security Issue.

---

• Language Bar Flags – CSRF to Stored XSS
  • This plugin has been closed as of June 16, 2022 and is not available for download. Reason: Security Issue.

---

• Custom Post View Generator – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 3, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Calendar – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Add Sidebar – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• WP SEO Tags – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• jQuery Tagline Rotator – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Plugmatter Pricing Table Lite – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Simple Popup Newsletter – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• TypoFR – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• WP Songbook – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Custom Post Type Relations – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• WP Fountain – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Media Usage – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Scribble Maps – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Multiplayer Games – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Smart Email Alerts – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Simple Behance Portfolio – Reflected Cross-Site Scripting
  • This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• youForms for WordPress – Authenticated Stored Cross-Site Scripting
  • This plugin has been closed as of July 30, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• You Shang – Authenticated Stored Cross-Site Scripting
  • This plugin has been closed as of July 30, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• WP Dialog – Authenticated Stored Cross-Site Scripting
  • This plugin has been closed as of August 2, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• WP Customize Login – Authenticated Stored Cross-Site Scripting (XSS)
  • This plugin has been closed as of August 4, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Titan Framework – Reflected Cross-Site Scripting (XSS)
  • This plugin has been closed as of March 16, 2022 and is not available for download. This closure is permanent. Reason: Author Request.

---

• AddToAny Share Buttons – Authenticated Stored XSS
  • The AddToAny Share Buttons plugin for WordPress increases traffic & engagement by helping people share your posts and pages to any service. Services include Facebook, Twitter, Pinterest, WhatsApp, LinkedIn, Tumblr, Reddit, WeChat, and over 100 more sharing and social media sites & apps. Active installations: 500,000+

---

• Favicon by RealFaviconGenerator – Reflected Cross-Site Scripting (XSS)
  • Generate and setup a favicon for desktop browsers, iPhone/iPad, Android devices, Windows 8 tablets and more. In a matter of seconds, design an icon that looks great on all major platforms. Active installations: 200,000+

---

• ShareThis Dashboard for Google Analytics – Reflected Cross-Site Scripting (XSS)
  • Monitor, analyze, and measure visitor engagement for your site directly from your WordPress dashboard with our Google Analytics plugin. With our Google Analytics dashboard, you’ll be able to conveniently access Google Analytics reports in the same interface you already use every day to write and manage your posts. Active installations: 200,000+

---

• Smash Balloon Social Post Feed – Unauthenticated Stored XSS
  • Display Facebook posts on your WordPress site. Completely customizable, responsive, search engine crawlable, and GDPR compliant Facebook feeds. Display unlimited Facebook feeds from your Facebook page or Facebook Group, and completely match the look and feel of your site with tons of customization options! Automatically powers any Facebook oEmbeds on your site. Active installations: 200,000+

---

• All 404 Redirect to Homepage – Authenticated Stored Cross-Site Scripting (XSS)
  • By this plugin you can fix all random 404 links appear in you your website and redirect them to homepage or any other page using 301 SEO redirect. 404 error pages hurts the rank of your site in search engines. This smart plugin is a simple solution to handle 404 error pages. Active installations: 200,000+

---

• WPFront Scroll Top – Authenticated Stored XSS
  • WPFront Scroll Top plugin allows the visitor to easily scroll back to the top of the page, with fully customizable options and image. WPFront Scroll Top plugin has the following features. Active installations: 100,000+

---

• GiveWP – Donation Plugin and Fundraising Platform – Authenticated Stored XSS
  • GiveWP is the highest rated, most downloaded, and best supported donation plugin for WordPress. Built from the ground up for all your fundraising needs, GiveWP provides you with a powerful donation platform optimized for online giving. Active installations: 100,000+

---

• Pods – Custom Content Types and Fields – Multiple Authenticated Stored Cross-Site Scripting (XSS)
  • Manage all your custom content needs in one location with the Pods Framework. Active installations: 100,000+

---

• Contact Form 7 Captcha – CSRF to Stored XSS
  • Add Google CAPTCHA to Contact Form 7. Protect your Contact Form 7 forms from spam and abuse. Can be used to protect multiple forms on same page. Active installations: 100,000+

---

• Migration, Backup, Staging – WPvivid Backup and Migration Plugin – Reflected Cross-Site Scripting
  • WPvivid Backup Plugin offers backup, migration, and staging as basic features, and is integrating more and more elegant features, such as unused images cleaner etc. Active installations: 100,000+

---

• SEOPress, on-site SEO – Authenticated Stored Cross-Site Scripting
  • SEOPress is a powerful WordPress SEO plugin to optimize your SEO, boost your traffic, improve social sharing, build custom HTML and XML Sitemaps, create optimized breadcrumbs, add schemas / Google Structured data types, manage 301 redirections and so much more. Active installations: 100,000+

---

• Simple Banner – Authenticated Stored XSS
  • This plugin makes it easy to display a simple announcement banner or bar at the top of your website. You can easily customize the color of the links, text, and background of the bar from within the settings. You can also customize to your heart’s desire by adding your own custom CSS. There’s also a fancy preview section within the settings so you can see your changes before you save them. Active installations: 40,000+

---

• HD Quiz – Authenticated Stored XSS
  • HD Quiz is a very easy to use plugin to create an unlimited amount of quizzes and embed them onto any page or post. HD Quiz is equally perfect for building strong professional based questionnaires or fun Buzzfeed style quizzes. Active installations: 7,000+

---

• Qyrr – simply and modern QR-Code creation – Authenticated (contributor+) Stored XSS
  • Qyrr is a simple yet powerful solution to create and manage QR-Codes. It use a simple interface to create and design your QR-Codes. Active installations: 500+

---

• Membership & Content Restriction – Paid Member Subscriptions – Reflected Cross-Site Scripting (XSS)
• Membership & Content Restriction – Paid Member Subscriptions – Authenticated SQL Injection
  • Paid Member Subscriptions is a robust WordPress membership plugin that’s a joy to setup and use. It offers a complete membership solution, allowing you to accept member payments, manage members, create subscription plans and restrict access to premium content. Active installations: 10,000+

---

• Simple Social Media Share Buttons – Social Sharing for Everyone – Contributor+ Stored XSS
  • Simple Social Buttons adds ( with lots of options like Sidebar, inline, above and below the posts content, on photos, popups, fly ins ) an advanced set of social media sharing buttons to your WordPress sites, such as: Facebook, WhatsApp, Viber, Twitter, Reddit, LinkedIn and Pinterest. Active installations: 40,000+

---

• WP Learn Manager – Unauthenticated Stored Cross-Site Scripting (XSS)
• WP Learn Manager – Unauthenticated Arbitrary User Field Edition/Creation
  • WP Learn Manager is extensive, featured rich and comprehensive learning management system for WordPress. WP Learn Manager comes with a lots of features like course list, course search with many filters, create course, create lectures, Add Quizzes, take lectures, enrollment, shortlist courses, Messaging, Social logins, Social sharing, Awards and many more. Active installations: 80+

---

• FluentSMTP – WordPress Mail SMTP, SES, SendGrid, Mailgun and Any SMTP Plugin – Authenticated Stored XSS
  • Are you having problems with your WordPress emails not sending? Or looking to set the email address in which your emails are delivered from. This plugin will solve all your email deliverability problems. FluentSMTP is the ultimate WP Mail Plugin that connects with your Email Service Provider natively and makes sure your emails are delivered 💯. Active installations: 30,000+

---

• Sitewide Notice WP – Authenticated Stored XSS
  • Simply add a small message bar to the bottom of each page of your website to display notice messages such as sales, notices and any text messages. A lightweight plugin that simply adds a small notification bar that allows you to insert simple text at the bottom of every page of your website as a call-to-action. Active installations: 5,000+

---

• Business Hours Indicator – Authenticated Stored XSS
  • Highly customizable shortcodes to display your opening times in any format. Active installations: 9,000+

---

• StoryChief – Reflected Cross-Site Scripting (XSS)
• StoryChief – Authenticated Stored Cross-Site Scripting (XSS)
  • Use StoryChief for collaboration on SEO blogposts, social posts and one-click multichannel distribution. Active installations: 2,000+

---

• VDZ Google Analytics or Google Tag Manager / GTM – Authenticated Stored XSS
  • Just install and use 🙂. Simple Google Tag Manager (GTM) or Universal Google Analytics plugin. After added Google Analytics ID – select where show your code in Head or Footer section. Active installations: 600+

---

• Cooked – Recipe Plugin – Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized (rich snippets), galleries, cooking timers, printable recipes and much more. Check out the full list below. Active installations: 8,000+

---

• Cookie Notice & Consent Banner for GDPR & CCPA Compliance – Authenticated Stored XSS
  • Install a Cookie Notice or Consent Banner as Required by Privacy Laws (GDPR & CCPA). Easily Customizable to Fit Your Design. Active installations: 1,000+

---

• WordPress Affiliates Plugin — SliceWP – Reflected Cross-Site Scripting (XSS)
  • We’re powered by personal experience, having worked on numerous affiliate projects every time we found the current solutions lacking. So we built SliceWP to be easy to use, quick to set up and have a beautiful interface. Active installations: 1,000+

---

• Site Reviews – Authenticated Stored XSS
  • Site Reviews allows your visitors to submit reviews with a 1-5 star rating on your website, similar to the way you would on TripAdvisor or Yelp. The plugin provides blocks, shortcodes, and widgets, along with full documentation. Active installations: 30,000+

---

• WPFront Notification Bar – Authenticated Stored XSS
  • Want to display a notification about a promotion or a news? WPFront Notification Bar plugin lets you do that easily. Active installations: 60,000+

---

• Form Builder | Create Responsive Contact Forms – Reflected Cross-Site Scripting (XSS)
• Form Builder | Create Responsive Contact Forms – Authenticated Stored Cross-Site Scripting
  • Form Builder is responsive simple to use plugin for creating forms with advanced capabilities. Supports integrations with other services and allow you to store form submissions. Active installations: 9,000+

---

• Stop Spammers Security | Block Spam Users, Comments, Forms – Authenticated Stored XSS
  • Stop spam emails, spam comments, spam registration, and spam bots and spammers in general. Run diagnostic tests, view activity, and much more with this well-maintained, mature plugin. Active installations: 60,000+

---

• WP Mobile Menu – The Mobile-Friendly Responsive Menu – Reflected Cross-Site Scripting (XSS)
  • WP Mobile Menu is the best WordPress responsive mobile menu. Provide to your mobile visitor an easy access to your site content using any device smartphone/tablet/desktop. Active installations: 90,000+

---

• Station Pro Plugin – Reflected Cross-Site Scripting (XSS)
  • Now in its newest version the station Pro has more features and is compatible with most browsers and mobile device with a new technology for easily play in your radio station. Active installations: 100+

---

• Events Shortcodes For The Events Calendar – Reflected Cross-Site Scripting (XSS)
  • Best addon for The Events Calendar plugin to show your events anywhere inside your page or post using events shortcode builder or Gutenberg blocks. This events calendar addon also provides free stunning events list design templates in which you can select custom colors and fonts. Active installations: 10.000+

---

• W3SCloud Contact Form 7 to Zoho CRM – Reflected Cross-Site Scripting (XSS)
  • This plugin integrate Zoho CRM with Contact Form 7 plugin. Whenever user submit a Contact Form 7 form, if a integration is created for the form then form entry will be inserted to CRM automatically. Active installations: 80+

---

• Book appointment online – Authenticated Stored Cross-Site Scripting (XSS)
  • Book appointment online – plugin for online doctor, hairdresser, stylist and other appointments. A perfect choice for medical centers, beauty salons, hair shops, car services. Active installations: 600+

---

• Daily Prayer Time – Authenticated Stored XSS
  • Alhamdulillah that you can display Yearly and Monthly prayer time with ajax month selector using shortcode [timetable] Daily prayer time can be displayed vertically or horizontally in your preferable widget area. Designed for any Mosque or Islamic institutes. Active installations: 1,000+

---

• Picture Gallery – Frontend Image Uploads, AJAX Photo List – Authenticated Stored XSS
  • Picture Gallery plugin enables users to upload and share pictures from frontend or backend. Generates thumbs, adds pictures and thumbs to WordPress Media Library and integrate galleries for custom posts. Active installations: 500+

---

• Content text slider on post – Authenticated Stored Cross-Site Scripting (XSS)
  • Content text slider on post is a WordPress plugin from gopiplus. We can use this plugin to scroll the content vertically in the posts and pages. Active installations: 1,000+

---

• WP Courses LMS – Reflected Cross-Site Scripting
• WP Courses LMS – Authenticated Stored XSS via Video Embed Code
  • WP Courses is a full-featured, free learning management system ( LMS ) that makes creating courses on your WordPress site easier than ever with an intuitive interface, drag-and-drop tools, video tutorials and more. Active installations: 1,000+

---

• WordPress Advanced Ticket System, Elite Support Helpdesk – Authenticated Stored Cross-Site Scripting (XSS)
  • This WordPress plugin adds the features of a complete support ticket system for WordPress. This allows users to submit tickets to report problems or get support on whatever you want directly through your WordPress website. Users can set the status, priority, product and type of each ticket submitted into this WordPress support plugin. WATS is perfect WordPress plugin for support plus advanced issue management. Active installations: 500+

---

• ThinkTwit – Authenticated Stored Cross-Site Scripting (XSS)
  • ThinkTwit is a highly customisable plugin that can output tweets from multiple users (something that very few other plugins can do successfully), #hashtag or keyword. It uses the Twitter Search JSON API v1.1 to access tweets which can be cached. It is very simple, yet flexible and easily customised. It can be placed on your WordPress page simply through drag and drop on the Widgets interface or through the use of Shortcode or Output Anywhere (PHP function call). Supports i18n! Active installations: 100+

---

• WordPress Slider Block Gutenslider – Contributor+ Stored XSS
  • Gutenslider is an image slider and video slider plugin for WordPress that adds a simple to use Gutenberg slider block to your WordPress editor. You do not need
    other editors but can manage everything directly in the Gutenberg editor you already know and love. You can add any content on top that you want! Gutenslider is faster and slicker than any other slider around. Go and try it out yourself and make use of a content slider, image slider and video slider that will increase user engagement on your website and allow you to create your sliders in seconds not in minutes, by using the Gutenberg backend editor you know already. No need to study complicated backend editors. Gutenslider is the best match for you and your customers. Active installations: 10,000+

---

• Splash Header – Authenticated Stored Cross-Site Scripting (XSS)
  • Splash header in WordPress will let you to create a welcome screen that contain title, description, custom links, or any custom code and can be added anywhere in your website using shortcode Active installations: 10+

---

• WP Mapa Politico España – Authenticated Stored XSS
  • Este plugin permite insertar un mapa político de España en post o páginas. En la página del plugin se pueden definir los titles e hipervínculos de cada una de las provincias. Active installations: 600+

---

• Alojapro Widget – Authenticated Stored Cross-Site Scripting(XSS)
  • Basic search box with check-in and check-out dates to make a search on Alojapro booking engine. Also allows to set and email and/or a discount code. The Iframe functionality allows the user to integrate the bookings search results into any page. Active installations: 10+

---

• Erident Custom Login and Dashboard – Authenticated Stored Cross-Site Scripting (XSS)
  • TOP RATED PLUGIN for Login Page Customization!!! Customize completely your WordPress Login Screen and Dashboard easily. Add your company logo to login screen, change background images, colors, styles etc. Customize your Dashboard footer text also for complete branding. Now faster and better db performance! Active installations: 3,000+

---

• Admin Custom Login – CSRF to Stored XSS
  • Admin custom login plugin give ability to customize your WordPress admin login page according to you. Create unique login design or admin login design with admin custom login plugin, Almost every element on login page is customize-able with admin custom login plugin. Design beautiful and eye catching login page styles in few Minutes . Active installations: 50,000+

---

• Slider Hero with Animation, Video Background & Intro Maker – CSRF to Stored XSS
  • Slider Hero is a futuristic, responsive header Hero Slider plugin and Dyanmic Website Intro Advert maker with Youtube Video background and animated background effects for hero banners, hero sliders and Landing pages. Create awesome animation slider and animated header with text carousel and Call to Action buttons from Gutenberg Slider Block & Elementor Slider Widget. Use youtube video background or combine animation effect and youtube video. Active installations: 4,000+

---

• Listing, Classified Ads & Business Directory – uListing – Unauthenticated SQL Injection
• Listing, Classified Ads & Business Directory – uListing – Authenticated IDOR
• Listing, Classified Ads & Business Directory – uListing – Authenticated Reflected XSS
• Listing, Classified Ads & Business Directory – uListing – Multiple CSRF
• Listing, Classified Ads & Business Directory – uListing – Modify User Roles via CSRF
• Listing, Classified Ads & Business Directory – uListing – Settings Update via CSRF
• Listing, Classified Ads & Business Directory – uListing – Unauthenticated Privilege Escalation
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• WP Fusion Lite – Marketing Automation for WordPress – CSRF to Data Deletion
• WP Fusion Lite – Marketing Automation for WordPress – Reflected Cross-Site Scripting (XSS)
  • WP Fusion Lite synchronizes your WordPress users with leading CRMs and marketing automation systems, keeps user profiles in sync with CRM contact records, and lets you protect site content based on CRM tags. Active installations: 3,000+

---

• WP SMS – Authenticated Stored Cross-Site Scripting
  • By WP SMS you can add the ability of SMS sending to your WordPress product. So you can send SMS to your newsletter subscribers or your users and get their attentions to your site and products. Active installations: 8,000+

---

• Poll Maker – Reflected Cross-Site Scripting
  • Poll Maker plugin is developed to build awesome polls and conduct interactive elections super easily and quickly. Our WordPress Polling Plugin gives impressive tools to create powerful and simple polls. You have 5 poll types to choose from, advanced settings, dozens of style options included 7 pre-build themes, and many more functionalities a professional poll builder will wish for. Looking for the best poll plugin for WordPress via which you can create a poll in minutes? You are in the right place! Active installations: 2,000+

---

• Highlight – Authenticated Stored Cross-Site Scripting
  • Use shortcode to highlight any text snippet inside your blog post or WordPres pages. Helpful to draw user attention to particular text or paragraph that are deemed important by the admin. Active installations: 10+

---

• Clean Login – Reflected Cross-Site Scripting
  • Responsive Frontend Login and Registration plugin. A plugin for displaying login, register, editor and restore password forms through shortcodes. Active installations: 10,000+

---

• SpeakOut! Email Petitions – Reflected Cross-Site Scripting
  • SpeakOut! Email Petitions allows you to easily create petition forms on your site. When visitors to your site submit the petition form, a copy of your message will be sent to the email address you specified e.g. your mayor. They can also choose to have the email BCC’d to themselves (default). The petition message will be signed with the contact information provided by the form submitter. After signing the petition, visitors will have the option of sharing your petition page with their followers on Facebook or Twitter. Active installations: 5,000+

---

• Tutor LMS – eLearning and online course solution – Reflected Cross-Site Scripting
  • Tutor is a complete, feature-packed and robust WordPress LMS plugin to create & sell courses online easily. All the features of this learning management system hits all the checkpoints for a full-fledged online course marketplace. You can create challenging and fun quizzes, interactive lessons, powerful reports and stats making Tutor potentially the best free WordPress LMS plugin. Manage, administer and monetize your education, online school, and online courses without having to write a single line of code. Active installations: 30,000+

---

• Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress – Reflected Cross-Site Scripting
  • Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used to create engaging content to drive traffic and increase user engagement. Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee surveys. This plugin is the ultimate marketing tool for your website. Active installations: 40,000+

---

• miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , MFA, OTP SMS and Email) | Passwordless login – Reflected Cross-Site Scripting
  • Google Authenticator – Two Factor (2FA) – Two Factor Authentication plugin provides a completely Secure login to your WordPress website. Google Authenticator is a FREE, Simple & very easy to setup plugin for securing your website from unauthorized logins. This plugin can be configured for any TOTP-based authentication method like Google Authenticator, Microsoft Authenticator, etc. This plugin also supports OTP Over SMS, OTP Over Email, Duo Authenticator, OTP Over WhatsApp, OTP Over Telegram, and many more authentication methods.

    Active installations: 20,000+

---

• Two Factor Authentication – Reflected Cross-Site Scripting
  • A simple light weight and highly secure Two-Factor Authentication(2FA/TFA) for your WordPress site. This plugin adds an additional layer of Authentication to your WordPress login after entering the correct username and password. It protects your website from hacks and unauthorized login attempts. Active installations: 700+

---

• FV Flowplayer Video Player – Reflected Cross-Site Scripting
  • Custom HTML 5 video on your own site with Flash fallback for legacy browsers is here. FV Player is a free, easy-to-use, and complete solution for embedding FLV or MP4 videos into your posts or pages. With MP4 videos, FV Player offers 98% coverage even on mobile devices. Active installations: 40,000+

---

• Software License Manager – Reflected Cross-Site Scripting
  • Software license management solution for your web applications (WordPress plugins, Themes, PHP based membership script etc.) This plugin is very useful for creating a license server and doing the following via API Active installations: 1,000+

---

• Moova for WooCommerce – Reflected Cross-Site Scripting
  • Integrate with moova to get same-day shipping at affordable rates. This extension would allow clients to from Uruguay, Argentina, Mexico, Chile, Peru, Guatemala, and Panama to automate your shippings. Active installations: 90+

---

• 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat – Reflected Cross-Site Scripting
  • This plugin implements 2 videochat modes: video call rooms and random videochat. VideoCall rooms can be managed by users from frontend and shared by access link. Random videochat is accessible on a custom page, where users are randomly matched with other users that access that page. Videochat pages should be added to cache exceptions. Active installations: 90+

---

• Skaut bazar – Reflected Cross-Site Scripting
  • Implementace jednoduchého bazaru s možností online rezervace přes email. Plugin po aktivaci se vkládá na libovolnou stránku pomocí Shortcodes: [skautbazar]. Plugin podporuje i MultiSite, takže můžete mít na každé stránce jiný bazar, s vlastním nastavením a vším co je s tím spojené. V nastavení je možnost výrozích hodnot. Tedy jméno, přijímení, email a telefon. Požadovaný je vše kromě telefonu. Při zakládání nového inzerátu, jsou požadovaná pole označena kvězdičkou. Active installations: 90+

---

• CBX Bookmark & Favorite – Reflected Cross-Site Scripting
  • This plugin is inspired from youtube’s bookmark or favorite feature. User can create their own bookmark category public or private and save articles inside different folders/list/category. Later we extended the plugin so that category can be global created by admin or single click bookmark without any category as pro features. There are lots of practical use for this simple but useful(we like to call it ‘powerful’) plugin. This plugin can help you create a bookmark site or user generated list site. Active installations: 1,000+

---

• Afterpay Gateway for WooCommerce – Reflected Cross-Site Scripting
  • Give your customers the option to buy now and pay later with Afterpay. The “Afterpay Gateway for WooCommerce” plugin provides the option to choose Afterpay as the payment method at the checkout. It also provides the functionality to display the Afterpay logo and instalment calculations below product prices on category pages, individual product pages, and on the cart page. For each payment that is approved by Afterpay, an order will be created inside the WooCommerce system like any other order. Automatic refunds are also supported.

    Active installations: 10,000+

---

• Auto Amazon Links – Amazon Associates Affiliate Plugin – Reflected Cross-Site Scripting
  • Still manually searching products and pasting Amazon affiliate links in WordPress posts? What happens if the products get outdated? With this plugin, you do not have to worry about it nor trouble to do such repetitive tasks. Just pick categories which suit your site and it will automatically display the links of decent products just coming out from Amazon today. Active installations: 10,000+

---

• SP Project & Document Manager – Authenticated Shell Upload
• SP Project & Document Manager – Reflected Cross-Site Scripting
  • Project & Document management plugin, Remote file sharing, maintain and control unlimited number of documents, records, files, media, videos and images. You can create unlimited folders and sub folders to share, organize, manage client, student & supplier documents and accounts, control individual documents, and select specific file sharing of documents all in an easy to manage online process. Active installations: 3,000+

---

• Availability Calendar – Authenticated SQL Injection
• Availability Calendar – Authenticated Stored Cross-Site Scripting
  • WordPress Availability Calendar is a FREE responsive easy to use plugin. This plugin can use for different purposes like showing holiday list of your business, availability of your days, upcoming events, conference, rents apartments, available properties etc. You can easily manage the colour codes of calendar according to your theme easily. You can also use shortcode to display separate calendars of each category. Active installations: 600+

---

• 博客社交分享组件 – Subscriber+ Stored Cross-Site Scripting
  • 博客社交分享组件是一款整合了网站打赏，文章点赞，微海报及文章社交分享功能插件。插件为读者提供点赞、微海报和社交分享功能，激励网站访客互动，提升WordPress博客文章传播；同时方便访客通过二维码打赏（捐赠）站长以鼓励站长继续创作贡献。 Active installations: 1,000+

---

• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Full Path Disclosure
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Reflected Cross-Site Scripting
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – lib/hitcounter.php pid Parameter SQL Injection
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Reflected Cross-Site Scripting via wp-admin/admin.php skin parameter
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Multiple Vulnerabilities
  • Gallery Grand Flagallery – powerfull media and image gallery plugin. Easy interface for handling photos and image galleries. You can create a beautiful video gallery from YouTube, Vimeo. Active installations: 10,000+

---

• Jock on air now – Authenticated Stored Cross-Site Scripting
• Jock on air now – Reflected Cross-Site Scripting
• Jock on air now – Arbitrary Plugin’s Settings Update via CSRF
  • Joan is a WordPress plugin that lets site admins easily manage and display a rotating programming schedule for radio or TV. Jock on air now (JOAN) displays the name of the current show and upcoming show with current time. If nothing is scheduled, it displays a custom message of your choice. Active installations: 1,000+

---

• Shopping Cart & eCommerce Store – CSRF to Stored Cross-Site Scripting
  • WP EasyCart is a powerful FREE WordPress eCommerce store & WordPress Shopping Cart plugin that installs into new or existing websites. Get a fast WordPress eCommerce shopping cart store within minutes! Sell retail products, subscriptions, digital downloadable goods, gift cards, donations, services and more! Active installations: 6,000+

BRIEF: Cross-Site Scripting AUG 2021 is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

What is CROSS-SITE SCRIPTING AUG 2021?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

What is the impact of a XSS AUG 2021 ATTACK?

The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:

– In a simple public application, where all users are anonymous and all information is public, the impact will often be minimal. Nothing else to steal.
– In an application holding sensitive or private/personal data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
– If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users, owners and their data.

What kind of XSS attacks are exploited?

– Reflected XSS, where the malicious script comes from the current HTTP request.
– Stored XSS, where the malicious script comes from the website’s database.
– DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

 

MANAGED WordPress Security: XSS AUG 2021 – Cross-Site Scripting AUG 2021 Related Posts