Try these tools and services:
- Jasper.ai is an AI content tool that ensures your brand's tone is maintained in your content creation.
- Copymatic can automatically generate content both text and image for your website or blog.
- Fiverr allows you to find your ideal freelance service effortlessly.
- SimpleTraffic can drive real visitors to your blog. Try 5 days for free and cancel anytime!
Do you run a WordPress site? How aware are you of the vulnerabilities of your site to plugin attacks and hackers?
The WordPress Plugin Directory helps bloggers and website owners rid themselves of static pages and build intuitive user interfaces, all without the need to learn complex coding and website development skills.
However, given the open source and somewhat unregulated nature of the plugin directory, it presents potential security risks.
One study revealed that almost 98% of WordPress blogs were easily exploited because they were running outdated versions of the software, or outdated plugins.
The dark side of the WordPress Plugin
An inspection into some of the top WordPress plugins found that a considerable number of the top 50 WordPress plugins were exposed to the possibility of being attacked via SQL injection and XSS. And, a separate inspection conducted for the top 10 eCommerce plugins found that 7 of them contained vulnerabilities.
This post will highlight the 50 most attacked WordPress Plugins in 2017. The report will showcase:
- The number of total attacks. This will determine the total number of attacks that were reported by the particular plugin.
- The type of the attack. This will reflect the “Location File Inclusion” (LFI) attack that allows exploiters to download any file they want, or the “Unrestricted File Upload” that allows exploiters to upload a “shell” that gives them full remote access to target the site.
- The exploit database link. This will determine the language used by the penetration testers and vulnerability researchers.
- The WordPress plugin website.This will provide you details and information about the plugin and a link to download.
If you use any of these attacked WordPress plugins on your website, you may want to look into ways to improve your security.
#1. Recent Backups (Backup for your website)
Total attacks: 2,159,725
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37752/
Website link: https://wordpress.org/plugins/recent-backups/
Note: We mistakenly labeled this plugin as a different plugin called BackUpWordPress. The BackUpWordPress plugin has actually been in the WordPress.org directory for a very long time with no known exploits, so we apologize for the error. As you can see above, the plugin with the known problem is called Recent Backups and is no longer available to download.
#2. WP Symposium Pro (Social-networking plugin)
Total attacks: 2,517,975
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/35543/
Website link: https://wordpress.org/plugins/wp-symposium-pro/
#3. WPTF Image Gallery (Modern photo gallery)
Total attacks: 2,164,929
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37751/
Website link: https://wpcore.com/plugin/wptf-image-gallery
#4. Google MP3 Audio Player (Audio Files)
Total attacks: 128,622
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/35460/
Website link: https://wordpress.org/plugins/search/google-mp3-audio-player/
#5. WP-Database-Backup (Automated backup collection to email)
Total attacks: 148,661
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/35378/
Website link: https://wordpress.org/plugins/wp-database-backup/
#6. WooCommerce Extra Product Options (Enhanced product options)
Total attacks: 1,011,602
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39421/
Website link: https://wordpress.org/plugins/woocommerce-store-toolkit/
#7. WP e-Commerce Shop Styling (E-commerce store improvements)
Total attacks: 2,137,509
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37530/
Website link: https://wordpress.org/plugins/wp-ecommerce-shop-styling/
#8. Candidate Application Form (Vacancy adverts management)
Total attacks: 2,158,179
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37754/
Website link: https://wordpress.org/plugins/candidate-application-form
#9. WP Mobile Detector (Maintain responsive integrity)
Total attacks: 5,174,567
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/39891/
Website link: https://wordpress.org/plugins/wp-mobile-detector/changelog
#10. Ajax Pagination (Flexible page linking)
Total attacks: 276,883
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/32622/
Website link: https://wordpress.org/plugins/ajax-pagination/
#11. Newsletter (List building)
Total attacks: 124858
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19018/
Website link: https://wordpress.org/extend/plugins/plugin-newsletter/
#12. Google Photos Gallery (Manage and stack photos in categories)
Total attacks: 136,833
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19055/
Website link: https://wordpress.org/plugins/google-picasa-albums-viewer/
#13. Tinymce Thumbnail Gallery (Thumbnail image gallery)
Total attacks: 133,348
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19022/
Website link: https://wordpress.org/plugins/tinymce-thumbnail-gallery/
#14. DukaPress (Online store builder)
Total attacks: 135,206
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/35346/
Website link: https://wordpress.org/plugins/dukapress/
#15. WP File Manager (File manager)
Total attacks: 146,480
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/25440/
Website link: https://wordpress.org/extend/plugins/wp-filemanager/
#16. History Collection (Save and track history)
Total attacks: 140,769
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37254/
Website link: https://wordpress.org/plugins/search/history-collection/
#17. JW Player for Flash & HTML5 Video (Video management system)
Total attacks: 142,925
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39212/
#18. Work The Flow File Upload (Easy file uploads)
Total attacks: 1,058,754
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/36640/
#19. YouTube Downloader (Insert video to posts)
Total attacks: 129,015
Type: LFI
Exploit database: Not available
#20. PayPal Currency Converter (Payment gateway integration)
Total attacks: 131,075
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37253/
Website link: https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
#21. Really Simple Guest Post (Create and manage posts)
Total attacks: 340,145
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37209/
Website link: https://wordpress.org/plugins/search/really-simple-guest-post/
#22. WP Membership (Membership plugin)
Total attacks: 694,115
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37074/
Website link: https://wpmembership.e-plugins.com/
#23. eBook Download (Create eBooks)
Total attacks: 144,725
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39575/
#24. Google Maps via Store Locator (Map creator, editor and view generator)
Total attacks: 150,498
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/18989/
Website link: https://wordpress.org/extend/plugins/store-locator-le/
#25. WP SwimTeam (Swim league management system)
Total attacks: 441,445
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/37601/
Website link: https://wordpress.org/plugins/wp-swimteam/
#26. ZoomSounds (Audio files and playlist manager)
Total attacks: 413,237
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37166/
Website link: https://digitalzoomstudio.net/docs/zoomsounds/
#27. Simple Download Button Shortcode (Download manager)
Total attacks: 369,066
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/19020/
Website link: https://wordpress.org/plugins/search/simple-download-button-shortcode/
#28. Image Export (Attachment exporter)
Total attacks: 298,841
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39584/
Website link: https://www.1efthander.com/category/wordpress-plugins/image-export
#29. Sell Download (Sell downloaded files)
Total attacks: 470,510
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/38868/
Website link: https://wordpress.org/plugins/sell-downloads/
#30. TheCartPress (Shopping cart enhancer)
Total attacks: 435,271
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/38869/
Website link: https://wordpress.org/plugins/thecartpress/
#31. Advance Uploader (Upload large files)
Total attacks: 432,619
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/38867/
Website link: https://wordpress.org/plugins/advanced-uploader/
#32. FileDownload (Manage, track, and control file downloads)
Total attacks: 350,875
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/30443/
Website link: https://mysitemyway.com/theme/persuasion-wordpress-theme/
#33. Ajax Store Locator (Store location management system)
Total attacks: 339,801
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/36777/
Website link: https://codecanyon.net/item/ajax-store-locator-wordpress/5293356
#34. Brandfolder (Press kit management)
Total attacks: 330,113
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39591/
Website link: https://wordpress.org/plugins/brandfolder/
#35. Frontend Upload (Easy content submission)
Total attacks: 215,921
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/31570/
#36. Tune Library (Music library management)
Total attacks: 211,274
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/36802/
Website link: https://wordpress.org/plugins/tune-library/
#37. Malapascua Agency* (Agency website management)
Total attacks: 207,877
Type: LFI
Exploit database: Not available
#38. Advanced Video (Video responsive)
Total attacks: 204,447
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39646/
Website link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
#39. WP User Frontend (Website post and profile management)
Total attacks: 203,197
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/39422/
Website link: https://wordpress.org/plugins/wp-user-frontend
#40. FormCraft (Custom form creator)
Total attacks: 201,984
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/30002/
Website link: https://wordpress.org/plugins/formcraft-form-builder/
#41. Simple Ads Manager (Ad optimizer)
Total attacks: 199,230
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36614/
Website link: https://wordpress.org/plugins/search/simple-ads-manager/
#42. Shopping Cart for WordPress (Shopping cart extension)
Total attacks: 207,554
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/38160/
#43. ReFlex Gallery (Multiple galleries for mobile)
Total attacks: 137,260
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36374/
Website link: https://wordpress.org/plugins/reflex-gallery/
#44. ACF Frontend Display (Website development)
Total attacks: 701,963
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37514/
Website link: https://wordpress.org/plugins/acf-frontend-display-by-catsplugins/
#45. Work The Flow File Upload (File upload capabilities)
Total attacks: 670,824
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36640/
Website link: https://wordpress.org/plugins/work-the-flow-file-upload/
#46. WP E-Commerce Shop Styling (eCommerce site developer)
Total attacks: 111,546
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/37530/
Website link: https://wordpress.org/plugins/wp-ecommerce-shop-styling
#47. RevSlider (Custom slider installation)
Total attacks: 145,626
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36957/
#48. Inboundio Marketing (Website details management)
Total attacks: 112,696
Type: Shell
Exploit database: https://www.exploit-db.com/exploits/36478/
Website link: https://www.inboundio.com/
#49. eBook Download
Total attacks: 89,640
Type: LFI
Exploit database: https://www.exploit-db.com/exploits/39575/
Please note:
*The Malapascua Agency plugin in the list does not exist in the current version of the plugin. However, IMPress Agents a WordPress compatible plugin is helping business owners with flexible solutions to build and manage their multiple agency website needs.
If you use any of the above plugins, ensure you upgrade to the latest version, and adopt Wordfence with Firewall enabled to protect your WordPress sites from unexpected brute force attacks in the future.
Good luck!
Guest Author: Anil Parmar is the co-founder of Glorywebs that specializes in WordPress web development services, web design & development, digital marketing and more. Themes & plugins we develop have a common # 1 goal: Keeping it as simple as possible for technical & non tech geeks. Follow him on Twitter @abparmar99 & say Hi
