Article from Wordfence.com:
This is a WordPress security report for Oct 30th 2014. We are publishing a list of current critical vulnerabilities that we want to draw your attention to. Please scan the list below and if you are using any of the products listed, or if you are aware of anyone using the products listed, please take the appropriate action which we include in each bullet point below.
- Creative Contact Form has a shell upload vulnerability in all versions prior to 1.0.0. Upgrade immediately. Reported by ExploitDB.
- The current version of CP Multi View Event Calendar 1.01 has an SQL injection vulnerability. Uninstall the plugin immediately until a fix is released. Published on PacketStorm by Claudio Viviani.
- (Chinese) The Alipay plugin for WordPress has an XSS vulnerability in versions 3.6.0 and lower. It may have been fixed in the newest version although that version does not have an entry in the plugin changelog. Disclosed by Prajal Kulkarni on CodeVigilant.
- The current version of Rich Counter 1.1.5 (possibly abandoned) contains an XSS vulnerability. Uninstall the plugin until a fix is released. Disclosed by XroGuE on Packetstorm.
- The InfusionSoft Gravity Forms AddOn contains a file upload vulnerability in 1.5.10 and older. Upgrade immediately to 1.5.11. Disclosed by g0blin and metasploit by us3r777.
- The popular WP Google Maps plugin contains an XSS vulnerability in version 6.0.26 and possibly earlier versions. Upgrade to 6.0.28 immediately. Disclosed by HTBridge. Edit: Nick from WP Google Maps has posted a comment below regarding this issue. Looks like they are doing a great job of staying on top of this and future issues.
If you are using any of these plugins, please take the action suggested in the bullet point above. Help spread the word to improve WordPress security for the WordPress community.