Menu
iThemes
WordPress Security, Backups & Maintenance
WordPress News and Updates from iThemes
Categories

WordPress Vulnerability Report – April 20, 2022

Written by on

Last Updated on April 20, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Elementor

Product image for Elementor Website Builder.
Plugin
Elementor Website Builder
Installations
5,000,000+
Vulnerability
Subscriber+ Arbitrary File Upload
Patched in Version
3.6.3
Severity Score
Critical
The vulnerability has been patched, so you should update to version 3.6.3.

Popup Maker

Product image for Popup Maker – Popup for opt-ins, lead gen, & more.
Plugin
Popup Maker – Popup for opt-ins, lead gen, & more
Installations
700,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.16.5
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.16.5.

WPvivid Backup and Migration Plugin

Product image for Migration, Backup, Staging – WPvivid.
Plugin
Migration, Backup, Staging – WPvivid
Installations
100,000+
Vulnerability
Admin+ Arbitrary File Download
Patched in Version
0.9.71
Severity Score
Low
The vulnerability has been patched, so you should update to version 0.9.71.

Modern Events Calendar Lite

Product image for Modern Events Calendar Lite.
Plugin
Modern Events Calendar Lite
Installations
100,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
6.5.2
Severity Score
Low
The vulnerability has been patched, so you should update to version 6.5.2.

Slide Anything

Product image for Slide Anything – Responsive Content / HTML Slider and Carousel.
Plugin
Slide Anything – Responsive Content / HTML Slider and Carousel
Installations
100,000+
Vulnerability
Editor+ Stored Cross-Site Scripting
Patched in Version
2.3.44
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.3.44.

Multiple Plugins from Cool Plugins – Cool Timeline

Product image for Cool Timeline.
Plugin
Cool Timeline
Installations
20,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
2.4
Severity Score
High
The vulnerability has been patched, so you should update to version 2.4.

Popup by Supsystic

Product image for Popup by Supsystic.
Plugin
Popup by Supsystic
Installations
20,000+
Vulnerability
Unauthenticated Subscriber Email Addresses Disclosure
Patched in Version
1.10.9
Severity Score
High
The vulnerability has been patched, so you should update to version 1.10.9.

Multiple Plugins from Cool Plugins – Cryptocurrency Widgets – Price Ticker & Coins List

Product image for Cryptocurrency Widgets – Price Ticker & Coins List.
Plugin
Cryptocurrency Widgets – Price Ticker & Coins List
Installations
10,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
2.5
Severity Score
High
The vulnerability has been patched, so you should update to version 2.5.

Multiple Plugins from Cool Plugins – Events Shortcodes For The Events Calendar

Product image for Events Shortcodes For The Events Calendar.
Plugin
Events Shortcodes For The Events Calendar
Installations
10,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
2.0
Severity Score
High
The vulnerability has been patched, so you should update to version 2.0.

Multiple Plugins from Cool Plugins – Cryptocurrency Donation Box – Bitcoin & Crypto Donations

Product image for Cryptocurrency Donation Box – Bitcoin & Crypto Donations.
Plugin
Cryptocurrency Donation Box – Bitcoin & Crypto Donations
Installations
5,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
1.8
Severity Score
High
The vulnerability has been patched, so you should update to version 1.8.

Multiple Plugins from Cool Plugins – Events Widgets For Elementor And The Events Calendar

Product image for Events Widgets For Elementor And The Events Calendar.
Plugin
Events Widgets For Elementor And The Events Calendar
Installations
5,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
1.5
Severity Score
High
The vulnerability has been patched, so you should update to version 1.5.

Simple Ajax Chat

Product image for Simple Ajax Chat.
Plugin
Simple Ajax Chat
Installations
4,000+
Vulnerability
Sensitive Information Disclosure; Log Clearing & Arbitrary Chat Message Deletion via CSRF
Patched in Version
20220216
Severity Score
Medium
The vulnerability has been patched, so you should update to version 20220216.

Multiple Plugins from Cool Plugins – Event Single Page Templates Addon For The Events Calendar

Product image for Event Single Page Templates Addon For The Events Calendar.
Plugin
Event Single Page Templates Addon For The Events Calendar
Installations
3,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
1.6
Severity Score
High
The vulnerability has been patched, so you should update to version 1.6.

Multiple Plugins from Cool Plugins – Events Search For The Events Calendar

Product image for Events Search For The Events Calendar.
Plugin
Events Search For The Events Calendar
Installations
2,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
1.2
Severity Score
High
The vulnerability has been patched, so you should update to version 1.2.

RSFirewall

Product image for RSFirewall!.
Plugin
RSFirewall!
Installations
2,000+
Vulnerability
IP Block Bypass
Patched in Version
1.1.25
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.25.

Multiple Plugins from Cool Plugins – Event Countdown For The Events Calendar

Product image for Event Countdown For The Events Calendar.
Plugin
Event Countdown For The Events Calendar
Installations
2,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
1.4
Severity Score
High
The vulnerability has been patched, so you should update to version 1.4.

Multiple Plugins from Cool Plugins -Cryptocurrency Widgets For Elementor

Product image for Cryptocurrency Widgets For Elementor.
Plugin
Cryptocurrency Widgets For Elementor
Installations
1,000+
Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version
1.3
Severity Score
High
The vulnerability has been patched, so you should update to version 1.3.

Ubigeo de Peru

Product image for Ubigeo de Perú para Woocommerce y WordPress.
Plugin
Ubigeo de Perú para Woocommerce y WordPress
Installations
1,000+
Vulnerability
Unauthenticated SQLi
Patched in Version
3.6.4
Severity Score
High
The vulnerability has been patched, so you should update to version 3.6.4.

Order Listener for WooCommerce

Product image for Order Listener for WooCommerce – Play Sounds Instantly on New Orders.
Plugin
Order Listener for WooCommerce – Play Sounds Instantly on New Orders
Installations
1,000+
Vulnerability
Unauthenticated SQLi
Patched in Version
3.2.2
Severity Score
High
The vulnerability has been patched, so you should update to version 3.2.2.

Personal Dictionary

Plugin
Personal Dictionary
Installations
30+
Vulnerability
Unauthenticated SQLi
Patched in Version
1.3.4
Severity Score
High
The vulnerability has been patched, so you should update to version 1.3.4.

Themify

Plugin
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.4.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.4.0.

Fancy Product Designer

Plugin
Fancy Product Designer
Vulnerability
Arbitrary File Upload via CSRF
Patched in Version
4.7.6
Severity Score
High
The vulnerability has been patched, so you should update to version 4.7.6.

MapSVG

Plugin
MapSVG
Vulnerability
Unauthenticated SQLi
Patched in Version
6.2.20
Severity Score
High
The vulnerability has been patched, so you should update to version 6.2.20.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

WP Maintenance

Product image for WP Maintenance.
Plugin
WP Maintenance
Installations
30,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

WP Social Buttons

Product image for WP Social Buttons.
Plugin
WP Social Buttons
Installations
400+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

IgniteUp

Plugin
IgniteUp – Coming Soon and Maintenance Mode
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

BadgeOS

Plugin
BadgeOS
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

KB Support

Plugin
KB Support – WordPress Help Desk
Vulnerability
Unauthenticated Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

CalderaWP License Manager

Plugin
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Admin Menu Editor

Plugin
Admin Menu Editor
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Product Filter For WooCommerce Product

Plugin
Product Filter For WooCommerce Product
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

SEMA API

Plugin
SEMA API
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Easily Generate Rest API Url

Plugin
Easily Generate Rest API Url
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

WP Video Gallery

Plugin
WP Video Gallery
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • Good news! No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

The Best WordPress Security Plugin to Secure & Protect WordPress

WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Get iThemes Security Pro
Other related posts
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – February 22, 2023
botnets
Botnets: What are They and How do They Operate
wordpress vulnerability report - security
WordPress Vulnerability Report – February 15, 2023
WordPress Security Recommendations
Top 10 WordPress Security Recommendations
Copy link
CopyCopied
Powered by Social Snap