Do you run a WordPress site? How aware are you of the vulnerabilities of your site to plugin attacks and hackers?
The WordPress Plugin Directory helps bloggers and website owners rid themselves of static pages and build intuitive user interfaces, all without the need to learn complex coding and website development skills.
However, given the open source and somewhat unregulated nature of the plugin directory, it presents potential security risks.
One study revealed that almost 98% of WordPress blogs were easily exploited because they were running outdated versions of the software, or outdated plugins.
The dark side of the WordPress Plugin
An inspection into some of the top WordPress plugins found that a considerable number of the top 50 WordPress plugins were exposed to the possibility of being attacked via SQL injection and XSS. And, a separate inspection conducted for the top 10 eCommerce plugins found that 7 of them contained vulnerabilities.
This post will highlight the 50 most attacked WordPress Plugins in 2017. The report will showcase:
- The number of total attacks. This will determine the total number of attacks that were reported by the particular plugin.
- The type of the attack. This will reflect the “Location File Inclusion” (LFI) attack that allows exploiters to download any file they want, or the “Unrestricted File Upload” that allows exploiters to upload a “shell” that gives them full remote access to target the site.
- The exploit database link. This will determine the language used by the penetration testers and vulnerability researchers.
- The WordPress plugin website.This will provide you details and information about the plugin and a link to download.
If you use any of these attacked WordPress plugins on your website, you may want to look into ways to improve your security.
#1. BackUpWordPress (Backup for your website)
Total attacks: 2,159,725
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37752/
Website link: https://wordpress.org/plugins/backupwordpress/
#2. WP Symposium Pro (Social-networking plugin)
Total attacks: 2,517,975
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/35543/
Website link: https://wordpress.org/plugins/wp-symposium-pro/
#3. WPTF Image Gallery (Modern photo gallery)
Total attacks: 2,164,929
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37751/
Website link: https://wpcore.com/plugin/wptf-image-gallery
#4. Google MP3 Audio Player (Audio Files)
Total attacks: 128,622
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/35460/
Website link: https://wordpress.org/plugins/search/google-mp3-audio-player/
#5. WP-DB-Backup (Automated backup collection to email)
Total attacks: 148,661
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/35378/
Website link: https://wordpress.org/plugins/wp-db-backup/
#6. WooCommerce Extra Product Options (Enhanced product options)
Total attacks: 1,011,602
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39421/
Website link: https://wordpress.org/plugins/woo-extra-product-options/
#7. WP e-Commerce Shop Styling (E-commerce store improvements)
Total attacks: 2,137,509
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37530/
Website link: https://wordpress.org/plugins/wp-ecommerce-shop-styling/
#8. Candidate Application Form (Vacancy adverts management)
Total attacks: 2,158,179
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37754/
Website link: https://wordpress.org/plugins/wp-candidate-application-form/
#9. WP Mobile Detect (Maintain responsive integrity)
Total attacks: 5,174,567
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/39891/
Website link: https://wordpress.org/plugins/wp-mobile-detect/
#10. WP-PageNavi (Flexible page linking)
Total attacks: 276,883
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/32622/
Website link: https://wordpress.org/plugins/wp-pagenavi/
#11. Newsletter (List building)
Total attacks: 124858
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19018/
Website link: https://wordpress.org/plugins/newsletter/
#12. Google Photos Gallery (Manage and stack photos in categories)
Total attacks: 136,833
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19055/
Website link: https://wordpress.org/plugins/google-picasa-albums-viewer/
#13. Tinymce Thumbnail Gallery (Thumbnail image gallery)
Total attacks: 133,348
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19022/
Website link: https://wordpress.org/plugins/tinymce-thumbnail-gallery/
#14. DukaPress (Online store builder)
Total attacks: 135,206
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/35346/
Website link: https://wordpress.org/plugins/dukapress/
#15. WP File Manager (File manager)
Total attacks: 146,480
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/25440/
Website link: https://wordpress.org/plugins/wp-file-manager/
#16. History Collection (Save and track history)
Total attacks: 140,769
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37254/
Website link: https://wordpress.org/plugins/search/history-collection/
#17. HTML5 Video Player and Advertising (Video management system)
Total attacks: 142,925
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37254/
Website link: https://codecanyon.net/item/html5-video-player-advertising-wp-plugin/7851635
#18. Document Management System (Organize, share and secure documents)
Total attacks: 134,482
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/36576/
Website link: https://wordpress.org/plugins/dms/
#19. JQuery HTML5 File Upload (Easy file uploads)
Total attacks: 1,058,754
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/36640/
Website link: https://wordpress.org/plugins/search/jquery-html5-file-upload/
#20. MDC YouTube Downloader (Insert video to posts)
Total attacks: 129,015
Type: LFI
Exploit database: Not available
Website link: https://wordpress.org/plugins/mdc-youtube-downloader/
#21. PayPal Currency Converter (Payment gateway integration)
Total attacks: 131,075
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37253/
Website link: https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
#22. Really Simple Guest Post (Create and manage posts)
Total attacks: 340,145
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37209/
Website link: https://wordpress.org/plugins/search/really-simple-guest-post/
#23. WP Rocket (Powerful caching plugin)
Total attacks: 694,115
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37074/
Website link: https://wordpress.org/plugins/tags/wp-rocket/
#24. Aspose Cloud eBook Generator (Create eBooks)
Total attacks: 144,725
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39575/
Website link: https://wordpress.org/plugins/aspose-cloud-ebook-generator/
#25. IBS Mappro (Map creator, editor and view generator)
Total attacks: 150,498
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/18989/
Website link: https://wordpress.org/plugins/ibs-mappro/
#26. WP SwimTeam (Swim league management system)
Total attacks: 441,445
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37601/
Website link: https://wordpress.org/plugins/wp-swimteam/
#27. ZoomSounds (Audio files and playlist manager)
Total attacks: 413,237
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37166/
Website link: http://digitalzoomstudio.net/docs/zoomsounds/
#28. Simple Download Button Shortcode (Download manager)
Total attacks: 369,066
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19020/
Website link: https://wordpress.org/plugins/search/simple-download-button-shortcode/
#29. Image Export (Attachment exporter)
Total attacks: 298,841
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39584/
Website link: https://wordpress.org/plugins/wp-attachment-export/
#30. Sell Downloads (Sell downloaded files)
Total attacks: 470,510
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/38868/
Website link: https://wordpress.org/plugins/sell-downloads/
#31. TheCartPress (Shopping cart enhancer)
Total attacks: 435,271
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/38869/
Website link: https://wordpress.org/plugins/thecartpress/
#32. Advance Uploader (Upload large files)
Total attacks: 432,619
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/38867/
Website link: https://wordpress.org/plugins/advanced-uploader/
#33. FileDownload (Manage, track, and control file downloads)
Total attacks: 350,875
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/30443/
Website link: https://wordpress.org/plugins/download-manager/
#34. Ajax Store Locator (Store location management system)
Total attacks: 339,801
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/36777/
Website link: https://wordpress.org/plugins/search/ajax+store/
#35. Brandfolder (Press kit management)
Total attacks: 330,113
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39591/
Website link: https://wordpress.org/plugins/brandfolder/
#36. Frontend Uploader (Easy content submission)
Total attacks: 215,921
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/31570/
Website link: https://wordpress.org/plugins/frontend-uploader/
#37. Peugeot Music Plugin (Music library management)
Total attacks: 211,274
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/36802/
Website link: https://pluginu.com/peugeot-music-plugin/
#38. Malapascua Agency* (Agency website management)
Total attacks: 207,877
Type: LFI
Exploit database: Not available
Website link: Not available
#39. The Viddler (Video responsive)
Total attacks: 204,447
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39646/
Website link: https://wordpress.org/plugins/search/the-viddler-wordpress-plugin/
#40. WP Post Frontend (Website post and profile management)
Total attacks: 203,197
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/39422/
Website link: https://wordpress.org/plugins/frontier-post/
#41. FormCraft (Custom form creator)
Total attacks: 201,984
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/30002/
Website link: https://wordpress.org/plugins/formcraft-form-builder/
#42. Simple Ads Manager (Ad optimizer)
Total attacks: 199,230
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36614/
Website link: https://wordpress.org/plugins/search/simple-ads-manager/
#43. WP EasyCart (Shopping cart extension)
Total attacks: 207,554
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/38160/
Website link: https://wordpress.org/plugins/wp-easycart/
#44. ReFlex Gallery (Multiple galleries for mobile)
Total attacks: 137,260
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36374/
Website link: https://wordpress.org/plugins/reflex-gallery/
#45. ACF Frontend Display (Website development)
Total attacks: 701,963
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37514/
Website link: https://wordpress.org/plugins/acf-frontend-display-by-catsplugins/
#46. Work The Flow File Upload (File upload capabilities)
Total attacks: 670,824
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36640/
Website link: https://wordpress.org/plugins/work-the-flow-file-upload/
#47. WP Shop (eCommerce site developer)
Total attacks: 111,546
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37530/
Website link: https://en-au.wordpress.org/plugins/wp-shop-original/
#48. Pretty Rev Slider (Custom slider installation)
Total attacks: 145,626
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36957/
Website link: https://wordpress.org/plugins/pretty-rev-slider/
#49. Inboundio Marketing (Website details management)
Total attacks: 112,696
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36478/
Website link: http://www.inboundio.com/
#50. eBook Download
Total attacks: 89,640
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39575/
Website link: https://wordpress.org/plugins/search/ebook/
Please note:
*The Malapascua Agency plugin in the list does not exist in the current version of the plugin. However, IMPress Agents a WordPress compatible plugin is helping business owners with flexible solutions to build and manage their multiple agency website needs.
If you use any of the above plugins, ensure you upgrade to the latest version, and adopt Wordfence with Firewall enabled to protect your WordPress sites from unexpected brute force attacks in the future.
Good luck!
Guest Author: Anil Parmar is the co-founder of Glorywebs that specializes in WordPress web development services, web design & development, digital marketing and more. Themes & plugins we develop have a common # 1 goal: Keeping it as simple as possible for technical & non tech geeks. Follow him on Twitter @abparmar99 & say Hi