Hacked, Dangerous and Vulnerable WordPress Plugins

With over 47 thousand plugins in the official WordPress repository and thousands more available on various other marketplaces and sites, finding those that work well is a daunting task. Finding WordPress plugins that are secure and won’t endanger your site is an even harder task due to the complex nature of WordPress security and often massive plugins with thousands of lines of code.

Although we can’t help you avoid every single bad plugin, we can pinpoint those who have known, confirmed vulnerabilities and security issues. Unless you know what you’re doing, you’re testing something on a local installation, or you’re into WordPress security, you should not use the dangerous plugins listed below on production sites. Problems explained in the table below are well known and documented, making it easy for anyone with bad intentions to exploit those security holes and attack your site.

By listing plugins on this page, we mean no disrespect to them or their authors! We only want to warn users not to install specific versions that have known security issues. If you feel your plugin has been listed by fault or need help updating it, please contact us.

How to use this page and the list of vulnerable plugins?

If you’re using any of the listed plugins, double-check the version number and confirm that it’s the one with known problems. If so – remove the plugin immediately! This includes deactivating it and deleting. Not just deactivating. You can also contact the author and ask him if the problems have been fixed and if not urge him to do so.


Vulnerability types

A quick reminder of the most common security holes and issues WordPress plugins face. Please note that most problems are a combination of two or more types listed below.

Arbitrary file viewing
Instead of allowing only certain file source to be viewed (for example plugin templates) the lack of checks in the code allows the attacker to view the source of any file, including those with sensitive information such as wp-config.php

Arbitrary file upload
Lack of file type and content filtering allows for upload of arbitrary files that can contain executable code which, once run, can do pretty much anything on a site

Privilege escalation
Once the attacker has an account on the site, even if it’s only of the subscriber type, he can escalate his privileges to a higher level, including administrative ones.

SQL injection
By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.

Remote code execution (RCE)
Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.

List of hacked, dangerous & vulnerable WordPress plugins

Plugin NameVulnerability TypeMin / Max Versions Affected
1 Flash Galleryarbitrary file upload1.3.0 / 1.5.6
360 Product Rotationarbitrary file upload1.1.3 / 1.2.0
Tevolutionarbitrary file upload2.0 / 2.2.9
Addblockblockerarbitrary file upload0.0.1
Ads Widgetremote code execution (RCE)2.0 / n/a
Advanced Access Managerprivilege escalation3.0.4 / 3.2.1
Advanced Ajax Page Loaderarbitrary file upload2.5.7 / 2.7.6
Advanced Video Embed Embed Videos Or Playlistsarbitrary file viewingn/a / 1.0
Analyticremote code execution (RCE)1.8
Analytics CounterPHP object injection1.0.0 / 3.4.1
AppointmentsPHP object injection1.4.4 Beta / 2.2.0
Asgaros Forumsettings change1.0.0 / 1.5.7
Aspose Cloud Ebook Generatorarbitrary file viewing1.0
Aspose Doc Exporterarbitrary file viewing1.0
Aspose Importer Exporterarbitrary file viewing1.0
Aspose Pdf Exporterarbitrary file viewing1.0
Attachment Managerarbitrary file upload1.0.0 / 2.1.1
Auto Attachmentsarbitrary file upload0.2.7 / 0.3
Bbpress Like ButtonSQL injection1.0 / 1.5
Bepro Listingsarbitrary file upload2.0.54 / 2.2.0020
Blaze Slide Show For Wordpressarbitrary file upload2.0 / 2.7
Brandfolderlocal file inclusion (LFI)2.3 / 3.0
Breadcrumbs Ezremote code execution (RCE)n/a
Candidate Application Formarbitrary file viewing1.0
Cardoza Facebook Like Boxarbitrary file upload2.8.9 / 2.9.1
Category Grid View Galleryarbitrary file upload0.1.0 / 0.1.1
Category Page Iconsrestricted file upload0.1 / 0.9.1
Cherry Pluginarbitrary file upload1.0 / 1.2.6
Chikuncountarbitrary file upload1.3
Cip4 Folder Download Widgetarbitrary file viewing1.4 / 1.10
Cms Commander ClientPHP object injection2.02 / 2.21
Contus Video Galleryarbitrary file viewing2.2 / 2.3
Cookie Euremote code execution (RCE)1.0
Cp Image Storearbitrary file viewing1.0.1 / 1.0.5
Cross Rssarbitrary file viewing0.5
Custom Content Type Managerremote code execution (RCE)
Custom Lightboxpossible remote code execution (RCE)0.24
Cysteme Finderarbitrary file viewing1.1 / 1.3
Db Backuparbitrary file viewing1.0 / 4.5
Delete All Commentsarbitrary file upload2.0
Developer Toolsarbitrary file upload1.0.0 / 1.1.4
Disclosure Policy Pluginremote file inclusion (RFI)1.0
Display Widgetsremote code execution (RCE)2.6
Dop Sliderarbitrary file upload1.0
Download Zip Attachmentsarbitrary file viewing1
Downloads Managerarbitrary file upload1.0 Beta / 1.0 rc-1
Dp Thumbnailarbitrary file upload1.0
Dropbox BackupPHP object injection1.0 /
Dukapressarbitrary file viewing2.3.7 / 2.5.3
Duplicate Page And Postspam injection2.1.0 / 2.1.1
Ebook Downloadarbitrary file viewing1.1
Ecstaticarbitrary file upload0.90 (x9) / 0.9933
Ecwid Shopping CartPHP object injection3.4.4 / 4.4.3
Email Subscribersinformation disclosure1.2 / 3.4.7
Enable Google Analyticsremote code execution (RCE)n/a
Estatikarbitrary file upload1.0.0 / 2.2.5
Event Commerce Wp Event Calendarpersistent cross-site scripting (XSS)1.0
Filedownloadarbitrary file viewing0.1
Flickr GalleryPHP object injection1.2 / 1.5.2
Font Uploaderrestricted file upload1.0 / 1.2.4
Form Lightboxoption update1.1 / 2.1
Formidableinformation disclosure1.07.5 / 2.0.07
Fresh Pagearbitrary file upload.11 / 1.1
Front End Uploadarbitrary file upload0.3.0 / 0.5.3
Front File Managerarbitrary file upload0.1
Fs Real Estate PluginSQL injection1.1 / 2.06.03
G Translateremote code execution (RCE)1.0 / 1.3
Gallery ObjectsSQL injection0.2 / 0.4
Gallery Pluginrestricted file upload1.01 / 3.1
Gallery Sliderremote code execution (RCE)2.0 / 2.1
Genesis Simple Defaultsarbitrary file upload1.0.0
Gi Media Libraryarbitrary file viewing1.0.300 / 2.2.2
Google Analytics Analyzeremote code execution (RCE)1.0
Google Document EmbedderSQL injection2.5 / 2.5.16
Google Maps By Daniel Martynremote code execution (RCE)1.0
Google Mp3 Audio Playerarbitrary file viewing1.0.9 / 1.0.11
Grapefilearbitrary file upload1.0 / 1.1
Gravityformsreflected cross-site scripting (XSS)1.7 /
Hb Audio Gallery Litearbitrary file viewing1.0.0
Hd WebplayerSQL injection1.0 / 1.1
History Collectionarbitrary file viewing1.1. / 1.1.1
Html5avmanagerarbitrary file upload0.1.0 / 0.2.7
I Dump Iphone To Wordpress Photo Uploaderarbitrary file upload1.1.3 / 1.8
Ibs Mapproarbitrary file viewing0.1 / 0.6
Image Exportarbitrary file viewing1.0.0 / 1.1.0
Image Symlinksarbitrary file upload0.5 / 0.8.2
Imdb Widgetarbitrary file viewing1.0.1 / 1.0.8
Inboundio Marketingarbitrary file upload1.0.0 / 2.0
Infusionsoftarbitrary file upload1.5.3 / 1.5.10
Inpost Gallerylocal file inclusion (LFI)2.0.9 / 2.1.2
Invit0rarbitrary file upload0.2 / 0.22
Ip Loggerarbitrary file upload2.6 / 3.0
Is Humanremote code execution (RCE)1.3.3 / 1.4.2
Iwp ClientPHP object injection0.1.4 / 1.6.0
Jssor Sliderarbitrary file upload1.0 / 1.3
Kingcomposerarbitrary file upload2.7 / 2.7.4
Like Dislike Counter For Posts Pages And CommentsSQL injection1.0 / 1.2.3
Mac Dock Galleryarbitrary file upload1.0 / 2.7
Magic Fieldsarbitrary file upload1.5 / 1.5.5
Mailchimp Integrationremote code execution (RCE)1.0.1 / 1.1
MailinSQL injection2.6.0 / 2.8.3
Mailpresslocal file inclusion (LFI)5.2 / 5.4.6
Mdc Youtube Downloaderarbitrary file viewing2.1.0
Membership Simplified For Oap Members Onlyarbitrary file viewingBeta 1.27 / Beta 1.58
Menu Imagemalicious JavaScript loading2.6.5 / 2.6.9
Miwoftparbitrary file viewing1.0.0 / 1.0.4
Mm Forms Communityarbitrary file upload1.0 / 2.2.6
Mobile App Builder By Wappressarbitrary file uploadn/a / 1.05
Mobile Friendly App Builder By Easytoucharbitrary file upload3.0
Multi Plugin Installerarbitrary file viewing1.0.0 / 1.1.0
Mypixslocal file inclusion (LFI)0.3
Newsletters LitePHP object injection4.0 /
Nmedia User File Uploaderarbitrary file upload1.8
Nofollow All External Linksspam injection2.1.0 / 2.3.0
Open Flash Chart Core Wordpress Plugin0.2 / 0.4
Option Seoremote code execution (RCE)1.5
Page Google Mapsremote code execution (RCE)1.4
Party Hall Booking Management SystemSQL injection1.0 / 1.1
Paypal Currency Converter Basic For Woocommercearbitrary file viewing1.0 / 1.3
Php Analyticsarbitrary file uploadn/a
Php Event Calendararbitrary file upload1.5.8 / 1.6
Pica Photo Galleryarbitrary file viewing1.0
Pitchprintarbitrary file upload7.1 / 7.1.1
Plugin Newsletterarbitrary file viewing1.3 / 1.5
Post Gridfile deletion2.0.6 / 2.0.12
Posts In Pageauthenticated local file inclusion (LFI)1.0.0 / 1.2.4
Pretty Linkauthenticated short link creation2.0.0 / 2.1.2
Really Simple Guest Postlocal file inclusion (LFI)1.0.1 / 1.0.6
Recent Backupsarbitrary file viewing0.1 / 0.7
Reflex Galleryarbitrary file upload1.0 / 3.0
Resume Submissions Job Postingsarbitrary file upload2.0 / 2.5.3
Return To Topremote code execution (RCE)1.8 / 5.0
Revsliderarbitrary file viewing1.0 / 4.1.4
S3bubble Amazon S3 Html 5 Video With Advertsarbitrary file viewing0.5 / 0.7
Sam Pro Freelocal file inclusion (LFI) /
Se Html5 Album Audio Playerarbitrary file viewing1.0.8 / 1.1.0
Sell Downloadsarbitrary file viewing1.0.1
Seo Keyword Pageremote code execution (RCE)2.0.5
Seo Spy Google Wordpress Pluginarbitrary file upload2.0 / 2.6
Seo Watcherarbitrary file upload1.3.2 / 1.3.3
Sexy Contact Formarbitrary file upload0.9.1 / 0.9.8
Sfwd Lmsarbitrary file upload1.3.6 / 2.5.3
Share Buttons Wpremote code execution (RCE)1.0
Sharexyrestricted file upload4.0 / 4.2.2
Shortcodes Ultimateauthenticated remote code execution (RCE)4.5.0 / 5.0.0
Showbizarbitrary file viewing1.0 / 1.5.2
Simple Ads Managerinformation disclosure2.0.73 / 2.7.101
Simple Download Button Shortcodearbitrary file viewing1.0
Simple Dropbox Upload Formarbitrary file upload1.8.6 / 1.8.8
Simple Image Manipulatorarbitrary file viewing1.0
Simplr Registration Formprivilege escalation2.2.0 / 2.4.3
Site Editorlocal file inclusion (LFI)1.0.0 / 1.1.1
Site Importremote page inclusion1.0.0 / 1.2.0
Slide Show Proarbitrary file upload2.0 / 2.4
Smart Google Code Inserterpersistent cross-site scripting (XSS)1.0 / 3.4
Smart Slide Showarbitrary file upload2.0 / 2.4
Smart Videosremote code execution (RCE)1.0
Social Networking E Commerce 1arbitrary file upload0.0.32
Social Sharingpossible arbitrary file upload1.0
Social Sticky Animatedremote code execution (RCE)1.0
Spamtaskarbitrary file upload1.3 / 1.3.6
Spicy Blogrolllocal file inclusion (LFI)0.1 / 1.0.0
Spotlightyourarbitrary file upload1.0 / 4.5
Stats CounterPHP object injection1.0 /
Stats Wpremote code execution (RCE)1.8
Store Locator Leunrestricted email sending2.6 / 4.2.56
Table MakerPHP object injection through SQL injection1.4 / 1.6
Taxonomy Terms Orderauthenticated PHP object injection1.2.4 /
Tera Chartsreflected cross-site scripting (XSS)0.1 / 1.0
The Viddler Wordpress Plugincross-site request forgery (CSRF)/cross-site scripting (XSS)1.2.3 / 2.0.0
Thecartpresslocal file inclusion (LFI)1.1.0 / 1.1.5
Tinymce Thumbnail Galleryarbitrary file viewingv1.0.4 / v1.0.7
Ultimate Memberarbitrary file upload2.0.4 / 2.0.21
Ultimate Product Cataloguearbitrary file upload1.0 / 3.1.1
Ungalleryarbitrary file viewing0.8 / 1.5.8
User Filesarbitrary file upload2.0 / 2.4.2
User Role Editorprivilege escalation4.19 / 4.24
Web Tripwirearbitrary file upload0.1.2
Webapp Builderarbitrary file upload2.0
Website Contact Form With File Uploadarbitrary file upload1.1 / 1.3.4
Weever Apps 20 Mobile Web Appsarbitrary file upload3.0.25 / 3.1.6
Woocommerce Catalog Enquiryarbitrary file upload2.3.3 / 3.0.0
Woocommerce Product Addonarbitrary file upload1.0 / 1.1
Woocommerce Products Filterauthenticated persistent cross-site scripting (XSS)1.1.4 /
Woopraarbitrary file upload1.4.1 /
Wordpress File Monitorpersistent cross-site scripting (XSS)2.0 / 2.3.3
Work The Flow File Uploadarbitrary file upload0.1.6 / 2.5.2
Wp Appointment Schedule Booking Systempersistent cross-site scripting (XSS)1.0
Wp Business Intelligence Litearbitrary file upload1.0 / 1.0.7
Wp Crmarbitrary file upload0.15 / 0.31.0
Wp Custom Pagearbitrary file viewing0.5 /
Wp Dreamworkgalleryarbitrary file upload2.0 / 2.3
Wp Easybookingreflected cross-site scripting (XSS)1.0.0 / 1.0.3
Wp Easycartauthenticated arbitrary file upload1.1.27 / 3.0.8
Wp Ecommerce Shop Stylingauthenticated arbitrary file viewing1.0 / 2.5
Wp Editorauthenticated arbitrary file upload1.0.2 /
Wp Filemanagerarbitrary file viewing1.2.8 / 1.3.0
Wp Flipslideshowpersistent cross-site scripting (XSS)2.0 / 2.2
Wp Front End Repositoryarbitrary file upload1.0.0 / 1.1
Wp Google Drivearbitrary file deletion2.0 / 2.2
Wp Handy Lightboxremote code execution (RCE)1.4.5
Wp Homepage Slideshowarbitrary file upload2.0 / 2.3
Wp Image News Sliderarbitrary file upload3.0 / 3.5
Wp Js External Link Infoopen redirect (after interstitial)1.0 / 1.21
Wp Levoslideshowarbitrary file upload2.0 / 2.3
Wp Miniaudioplayerarbitrary file viewing0.5 / 1.2.7
Wp Mobile Detectorauthenticated persistent cross-site scripting (XSS)3.0 / 3.2
Wp Monarbitrary file viewing0.5 / 0.5.1
Wp Noexternallinksspam injection4.2.0 / 4.2.2
Wp Online Storearbitrary file viewing1.2.5 / 1.3.1
Wp Piwikpersistent cross-site scripting (XSS) / 1.0.10
Wp Popupremote code execution (RCE)2.0.0 / 2.1
Wp Post Frontendarbitrary file upload1.0
Wp Propertyarbitrary file upload1.20.0 / 1.35.0
Wp Quick Booking Managerpersistent cross-site scripting (XSS)1.0 / 1.1
Wp Royal Gallerypersistent cross-site scripting (XSS)2.0 / 2.3
Wp Seo Spy Googlearbitrary file upload3.0 / 3.1
Wp Simple Cartarbitrary file upload0.9.0 / 1.0.15
Wp Slimstat Exarbitrary file upload2.1 / 2.1.2
Wp Superb Slideshowarbitrary file upload2.0 / 2.4
Wp Support Plus Responsive Ticket Systemarbitrary file viewing1.0 / 4.1
Wp Swimteamarbitrary file viewing1 / 1.44.1077
Wp Symposiumarbitrary file upload13.04 / 14.11
Wp Vertical Galleryarbitrary file upload2.0 / 2.3
Wp Yasslideshowarbitrary file upload3.0 / 3.4
Wp2android Turn Wp Site Into Android Apparbitrary file upload1.1.4
Wpeasystatslocal file inclusion (LFI)1.8
Wpmarketplacearbitrary file viewing2.2.0 / 2.4.0
Wpshoparbitrary file upload1.3.1.6 /
Wpstorecartarbitrary file upload2.0.0 / 2.5.29
Wptf Image Galleryarbitrary file viewing1.0.1 / 1.0.3
Wsecureremote code execution (RCE)2.3
Wysija Newslettersarbitrary file upload1.1 / 2.6.7
Xdata Toolkitarbitrary file upload1.6 / 1.9
Zen Mobile App Nativearbitrary file upload3.0
Zingiri Web Shoparbitrary file upload2.3.6 / 2.4.3
Zip Attachmentsarbitrary file viewing1.0 / 1.4


Have your WordPress site been hacked?

Don’t despair; it happens to the best of us. It’s tough to give generic advice without having a look at your site, but if you can still login into your WP admin, we suggest installing the free Security Ninja plugin. It’ll perform +40 tests on your site, and with the Core add-on, you can validate the integrity of your core files by comparing them to the secure, master copies stored on WordPress.org. It’s an invaluable tool for any WordPress site!



The list of latest dangerous and vulnerable WordPress plugins is compiled from various sources including:

2 comments on “Hacked, Dangerous and Vulnerable WordPress Plugins

  1. Hi – thank you so much for mentioning our plugin, Security Ninja 🙂

    We actually have expanded the list to over 50+ security aspects and then we have also released a vulnerability checker in the plugin. That means you just have to install the plugin and then it warns you if there are any vulnerable plugins installed on your site and any recommendations.

    This is free for all to use, you just have to install the plugin and then it works in the background. No data is sent to our servers, your privacy is safe.

Leave a Reply

Your email address will not be published. Required fields are marked *