Which applications does Patchman detect and fix?
If you want to be notified every time we add new patches and signatures, please see Can you notify me every time a new vulnerability patch is released?
Currently, Patchman has two types of definitions.
When a version is supported by patches, fixes are available for most security flaws in these applications. This means that vulnerabilities in these applications are automatically fixed.
When only detection support is available, Patchman is able to detect installed versions of this application, which allows you to notify your users of outdated applications.
Patch and detection support for various versions of the supported applications are listed below. If you think there is a vulnerability in one of these applications that Patchman does not patch, please check Why is vulnerability X not fixed by Patchman? for more information.
Application | Patches | Bundle / Plan (for patching) | Version detection (all plans) |
---|---|---|---|
WordPress | 3.6 and later | Patchman CORE, | all |
Joomla | 2.5 and later | Patchman CORE, | all |
Drupal | 6.0 and later | Patchman CORE, | all |
Magento | 1.9.2.0 and later | Patchman COVERAGE, | all |
WooCommerce | 2.1.0 and later | Patchman COVERAGE, | all |
PrestaShop | 1.6.0.1 and later | Patchman COVERAGE, |
Version detection for Prestashop is currently unavailable pending changes in the detection mechanism. Vulnerability patching functionality is unaffected. |
Booked |
|
| all |
Coppermine |
|
| all |
Dolibarr |
|
| all |
Dotproject |
|
| all |
Feng Office |
|
| all |
FrontAccounting |
|
| all |
Gallery |
|
| all |
LifeType |
|
| all |
LimeSurvey |
|
| all major releases |
LinPHA |
|
| all |
LiveHelperChat |
|
| all |
MailPoet | Specific, see below | Specific, see below | none |
MediaWiki |
|
| all |
MODX |
|
| all |
Nextcloud |
|
| 9.0.54 and later |
NOCC |
|
| all |
OpenBiblio |
|
| all |
OpenCart |
|
| all |
OrangeHRM |
|
| all |
osCommerce | Specific, see below | Specific, see below | 2.2 - 2.4 |
ownCloud |
|
| all |
phpBB |
|
| all |
phpESP |
|
| all |
PHPFusion |
|
| all |
phpList |
|
| all |
phpMyChat |
|
| all |
phpScheduleIt |
|
| all |
PhpWiki |
|
| all |
Pligg |
|
| all |
SquirrelMail |
|
| all |
TYPO3 |
|
| all |
vTiger |
|
| all |
Wikiwig |
|
| all |
XOOPS |
|
| all |
YourLS |
|
| all |
ZenPhoto |
|
| all |
Plugins and libraries
A list of plugins fully supported by Patchman for patching and/or version detection is included below. If you are wondering why a specific plugin is not part of our coverage, please check Why is plugin X not patched by Patchman? for more information.
Plugin | Version(s) | Bundle / Plan (for patching) | Version detection (all plans) |
---|---|---|---|
WordPress Plugin: Advanced Editor Tools / TinyMCE | 3.5.9 and later | COVERAGE, COVERAGE+CLEAN | all |
WordPress Plugin: All in One SEO Pack | 2.3.9.2 and later | COVERAGE, COVERAGE+CLEAN | all |
WordPress Plugin: Contact Form 7 | 3.6 and later | COVERAGE, COVERAGE+CLEAN | all |
WordPress Plugin: Duplicator | Specific, see below | Specific, see below | all |
WordPress Plugin: GDPR Cookie Consent | Specific, see below | Specific, see below | all |
WordPress Plugin: Google XML Sitemaps | 4.0.8 and later | COVERAGE, COVERAGE+CLEAN | all |
WordPress Plugin: InfiniteWP Client | Specific, see below | Specific, see below | all |
WordPress Plugin: Jetpack | 2.7 and later | COVERAGE, COVERAGE+CLEAN | all |
WordPress Plugin: | Specific, see below | Specific, see below | all |
WordPress Plugin: ThemeGrill Demo Importer | Specific, see below | Specific, see below | all |
WordPress Plugin: WordPress Importer | 0.6.2 and later | COVERAGE, COVERAGE+CLEAN | all |
WordPress Plugin: Yoast SEO | 1.6.1 and later | COVERAGE, COVERAGE+CLEAN | all |
Joomla! Plugin: Akeeba Backup | all | ||
Joomla! Plugin: Joomla Content Editor (JCE) | all |
Library | Version(s) | Bundle / Plan (for patching) | Version detection (all plans) |
---|---|---|---|
PhpUnit | Specific, see below | Specific, see below | all |
Specific (critical) vulnerabilities
Some select vulnerabilities patched in plugins due to their critical nature, but aren't covered by full patch support. A list of these can be found below:
Application | Vulnerability / Fix | Bundle / Plan | Version(s) covered by patches |
---|---|---|---|
MailPoet | Vulnerability in privilege checking | CORE, COVERAGE, COVERAGE+CLEAN | 2.x |
osCommerce | File Manager upload | CORE, COVERAGE, COVERAGE+CLEAN | 2.2 |
Plugin | Vulnerability / Fix | Bundle / Plan | Version(s) covered by patches |
---|---|---|---|
WordPress Plugin: Duplicator | Adding hashes to file path to avoid arbitrary file download. | COVERAGE, COVERAGE+CLEAN | 1.3.26 - 1.3.24 |
WordPress Plugin: | Unauthenticated user to modify WordPress options | COVERAGE, COVERAGE+CLEAN | 1.3.9 - 1.2.8 |
WordPress Plugin: | Added check if user can manage options to prevent privilege escalation | COVERAGE, COVERAGE+CLEAN | 1.8.2 - 1.6.6 |
WordPress Plugin: InfiniteWP Client | Check added for add_site and read_site to avoid authentication bypass | COVERAGE, COVERAGE+CLEAN | 1.9.4.4 - 1.8.1 |
WordPress Plugin: | Added authorization check to AJAX actions Unauthenticated Stored Cross-Site Scripting / Authenticated Settings Modification, Configuration Disclosure, and User Data Export | COVERAGE, COVERAGE+CLEAN | 3.72 - 3.0.5 3.63 - 3.0.5 |
WordPress Plugin: ThemeGrill Demo Importer | Added check if user can manage options to prevent privilege escalation | COVERAGE, COVERAGE+CLEAN | 1.6.1 - 1.3.4 |
WordPress Plugin: | Persistent XSS on cached page | CORE, COVERAGE, COVERAGE+CLEAN | 0.x, 1.0, 1.1, 1.2, 1.3.x and 1.4.x |
Drupal Module: Coder | SA-CONTRIB-2016-039 | CORE, COVERAGE, COVERAGE+CLEAN | 7.x and 8.x |
Drupal Module: RESTWS | SA-CONTRIB-2016-040 | CORE, COVERAGE, COVERAGE+CLEAN | 7.x |
Drupal Module: Webform Multifile | SA-CONTRIB-2016-038 | CORE, COVERAGE, COVERAGE+CLEAN | 6.x and 7.x |
Library | Vulnerability / Fix | Bundle / Plan | Version(s) covered by patches |
---|---|---|---|
Genericons | XSS in Genericons example file | CORE, COVERAGE, COVERAGE+CLEAN | WordPress 4.0.x and Genericons 3.1 |
PHPMailer | CVE-2016-10033 | CORE, COVERAGE, COVERAGE+CLEAN | 5.0.0 - 5.2.18 |
PhpUnit | Prevent remote code execution of Util/PHP/eval-stdin.php via HTTP POST data beginning with "<?php " substring | COVERAGE, COVERAGE+CLEAN | 8.5.0 - 2.2.0 |