• flipboard

The Top 50 Most Attacked WordPress Plugins Making Your Site Vulnerable to Hackers

The Top 50 Most Attacked WordPress Plugins Making Your Site Vulnerable to Hackers

Do you run a WordPress site? How aware are you of the vulnerabilities of your site to plugin attacks and hackers?

The WordPress Plugin Directory helps bloggers and website owners rid themselves of static pages and build intuitive user interfaces, all without the need to learn complex coding and website development skills.

However, given the open source and somewhat unregulated nature of the plugin directory, it presents potential security risks.

One study revealed that almost 98% of WordPress blogs were easily exploited because they were running outdated versions of the software, or outdated plugins.

The dark side of the WordPress Plugin

An inspection into some of the top WordPress plugins found that a considerable number of the top 50 WordPress plugins were exposed to the possibility of being attacked via SQL injection and XSS. And, a separate inspection conducted for the top 10 eCommerce plugins found that 7 of them contained vulnerabilities.

This post will highlight the 50 most attacked WordPress Plugins in 2017. The report will showcase:

  • The number of total attacks. This will determine the total number of attacks that were reported by the particular plugin.
  • The type of the attack. This will reflect the “Location File Inclusion” (LFI) attack that allows exploiters to download any file they want, or the “Unrestricted File Upload” that allows exploiters to upload a “shell” that gives them full remote access to target the site.
  • The exploit database link. This will determine the language used by the penetration testers and vulnerability researchers.
  • The WordPress plugin website.This will provide you details and information about the plugin and a link to download.

If you use any of these attacked WordPress plugins on your website, you may want to look into ways to improve your security.

#1. Recent Backups (Backup for your website)

Total attacks: 2,159,725

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37752/

Website link: https://wordpress.org/plugins/recent-backups/

Note: We mistakenly labeled this plugin as a different plugin called BackUpWordPress. The BackUpWordPress plugin has actually been in the WordPress.org directory for a very long time with no known exploits, so we apologize for the error. As you can see above, the plugin with the known problem is called Recent Backups and is no longer available to download.

#2. WP Symposium Pro (Social-networking plugin)

Total attacks: 2,517,975

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/35543/

Website link: https://wordpress.org/plugins/wp-symposium-pro/

#3. WPTF Image Gallery (Modern photo gallery)

Total attacks: 2,164,929

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37751/

Website link: https://wpcore.com/plugin/wptf-image-gallery

#4. Google MP3 Audio Player (Audio Files)

Total attacks: 128,622

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/35460/

Website link: https://wordpress.org/plugins/search/google-mp3-audio-player/

#5. WP-Database-Backup (Automated backup collection to email)

Total attacks: 148,661

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/35378/

Website link: https://wordpress.org/plugins/wp-database-backup/

#6. WooCommerce Extra Product Options (Enhanced product options)

Total attacks: 1,011,602

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39421/

Website link: https://wordpress.org/plugins/woocommerce-store-toolkit/

#7. WP e-Commerce Shop Styling (E-commerce store improvements)

Total attacks: 2,137,509

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37530/

Website link: https://wordpress.org/plugins/wp-ecommerce-shop-styling/

#8. Candidate Application Form (Vacancy adverts management)

Total attacks: 2,158,179

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37754/

Website link: https://wordpress.org/plugins/candidate-application-form

#9. WP Mobile Detector (Maintain responsive integrity)

Total attacks: 5,174,567

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/39891/

Website link: https://wordpress.org/plugins/wp-mobile-detector/changelog

#10. Ajax Pagination (Flexible page linking)

Total attacks: 276,883

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/32622/

Website link: http://wordpress.org/plugins/ajax-pagination/

#11. Newsletter (List building)

Total attacks: 124858

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19018/

Website link: http://wordpress.org/extend/plugins/plugin-newsletter/

#12. Google Photos Gallery (Manage and stack photos in categories)

Total attacks: 136,833

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19055/

Website link: https://wordpress.org/plugins/google-picasa-albums-viewer/

#13. Tinymce Thumbnail Gallery (Thumbnail image gallery)

Total attacks: 133,348

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19022/

Website link: https://wordpress.org/plugins/tinymce-thumbnail-gallery/

#14. DukaPress (Online store builder)

Total attacks: 135,206

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/35346/

Website link: https://wordpress.org/plugins/dukapress/

#15. WP File Manager (File manager)

Total attacks: 146,480

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/25440/

Website link: http://wordpress.org/extend/plugins/wp-filemanager/

#16. History Collection (Save and track history)

Total attacks: 140,769

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37254/

Website link: https://wordpress.org/plugins/search/history-collection/

#17. JW Player for Flash & HTML5 Video (Video management system)

Total attacks: 142,925

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39212/

#18. SP Project & Document Manager (Organize, share and secure documents)

Total attacks: 134,482

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36576/

#19. Work The Flow File Upload (Easy file uploads)

Total attacks: 1,058,754

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36640/

#20. YouTube Downloader (Insert video to posts)

Total attacks: 129,015

Type: LFI

Exploit database: Not available

#21. PayPal Currency Converter (Payment gateway integration)

Total attacks: 131,075

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37253/

Website link: https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/

#22. Really Simple Guest Post (Create and manage posts)

Total attacks: 340,145

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37209/

Website link: https://wordpress.org/plugins/search/really-simple-guest-post/

#23. WP Membership (Membership plugin)

Total attacks: 694,115

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37074/

Website link: http://wpmembership.e-plugins.com/

#24. eBook Download (Create eBooks)

Total attacks: 144,725

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39575/

#25. Google Maps via Store Locator (Map creator, editor and view generator)

Total attacks: 150,498

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/18989/

Website link: http://wordpress.org/extend/plugins/store-locator-le/

#26. WP SwimTeam (Swim league management system)

Total attacks: 441,445

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/37601/

Website link: https://wordpress.org/plugins/wp-swimteam/

#27. ZoomSounds (Audio files and playlist manager)

Total attacks: 413,237

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37166/

Website link: http://digitalzoomstudio.net/docs/zoomsounds/

#28. Simple Download Button Shortcode (Download manager)

Total attacks: 369,066

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/19020/

Website link: https://wordpress.org/plugins/search/simple-download-button-shortcode/

#29. Image Export (Attachment exporter)

Total attacks: 298,841

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39584/

Website link: http://www.1efthander.com/category/wordpress-plugins/image-export

#30. Sell Download (Sell downloaded files)

Total attacks: 470,510

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/38868/

Website link: https://wordpress.org/plugins/sell-downloads/

#31. TheCartPress (Shopping cart enhancer)

Total attacks: 435,271

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/38869/

Website link: https://wordpress.org/plugins/thecartpress/

#32. Advance Uploader (Upload large files)

Total attacks: 432,619

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/38867/

Website link: https://wordpress.org/plugins/advanced-uploader/

#33. FileDownload (Manage, track, and control file downloads)

Total attacks: 350,875

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/30443/

Website link: http://mysitemyway.com/theme/persuasion-wordpress-theme/

#34. Ajax Store Locator (Store location management system)

Total attacks: 339,801

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36777/

Website link: http://codecanyon.net/item/ajax-store-locator-wordpress/5293356

#35. Brandfolder (Press kit management)

Total attacks: 330,113

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39591/

Website link: https://wordpress.org/plugins/brandfolder/ 

#36. Frontend Upload (Easy content submission)

Total attacks: 215,921

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/31570/

#37. Tune Library (Music library management)

Total attacks: 211,274

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/36802/

Website link: https://wordpress.org/plugins/tune-library/

#38. Malapascua Agency* (Agency website management)

Total attacks: 207,877

Type: LFI

Exploit database: Not available

#39. Advanced Video (Video responsive)

Total attacks: 204,447

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39646/

Website link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/

#40. WP User Frontend (Website post and profile management)

Total attacks: 203,197

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/39422/

Website link: https://wordpress.org/plugins/wp-user-frontend

#41. FormCraft (Custom form creator)

Total attacks: 201,984

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/30002/

Website link: https://wordpress.org/plugins/formcraft-form-builder/

#42. Simple Ads Manager (Ad optimizer)

Total attacks: 199,230

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36614/

Website link: https://wordpress.org/plugins/search/simple-ads-manager/

#43. Shopping Cart for WordPress (Shopping cart extension)

Total attacks: 207,554

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/38160/

#44. ReFlex Gallery (Multiple galleries for mobile)

Total attacks: 137,260

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36374/

Website link: https://wordpress.org/plugins/reflex-gallery/

#45. ACF Frontend Display (Website development)

Total attacks: 701,963

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37514/

Website link: https://wordpress.org/plugins/acf-frontend-display-by-catsplugins/ 

#46. Work The Flow File Upload (File upload capabilities)

Total attacks: 670,824

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36640/

Website link: https://wordpress.org/plugins/work-the-flow-file-upload/

#47. WP E-Commerce Shop Styling (eCommerce site developer)

Total attacks: 111,546

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/37530/

Website link: https://wordpress.org/plugins/wp-ecommerce-shop-styling

#48. RevSlider (Custom slider installation)

Total attacks: 145,626

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36957/

#49. Inboundio Marketing (Website details management)

Total attacks: 112,696

Type: Shell

Exploit database: https://www.exploit-db.com/exploits/36478/

Website link: http://www.inboundio.com/

#50. eBook Download

Total attacks: 89,640

Type: LFI

Exploit database: https://www.exploit-db.com/exploits/39575/

Please note:

*The Malapascua Agency plugin in the list does not exist in the current version of the plugin. However, IMPress Agents a WordPress compatible plugin is helping business owners with flexible solutions to build and manage their multiple agency website needs.

If you use any of the above plugins, ensure you upgrade to the latest version, and adopt Wordfence with Firewall enabled to protect your WordPress sites from unexpected brute force attacks in the future.

Good luck!

Guest Author: Anil Parmar is the co-founder of Glorywebs that specializes in WordPress web development services, web design & development, digital marketing and more. Themes & plugins we develop have a common # 1 goal: Keeping it as simple as possible for technical & non tech geeks. Follow him on Twitter @abparmar99 & say Hi

Jeffbullas's Blog


  • Imagic Institute

    Thanks Anil for this article. This will be really be very useful for our students.