WordPress Vulnerability Report

WordPress Vulnerability Report – April 20, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of low, medium, high, or critical.

Avatar photo
SolidWP Editorial Team

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Get SolidWP tips direct in your inbox

Sign up

This field is for validation purposes and should be left unchanged.
Placeholder text
Placeholder text
Thanks

Oops something went wrong, please try submitting again

Get started with confidence — risk free, guaranteed

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Elementor

Plugin:
Elementor Website Builder
Installations:
5,000,000+
Vulnerability:
Subscriber+ Arbitrary File Upload
Patched in Version:
3.6.3
Severity Score:
Critical
The vulnerability has been patched, so you should update to version 3.6.3.

Popup Maker

Plugin:
Popup Maker – Popup for opt-ins, lead gen, & more
Installations:
700,000+
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
1.16.5
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.16.5.

WPvivid Backup and Migration Plugin

Plugin:
Migration, Backup, Staging – WPvivid
Installations:
100,000+
Vulnerability:
Admin+ Arbitrary File Download
Patched in Version:
0.9.71
Severity Score:
Low
The vulnerability has been patched, so you should update to version 0.9.71.

Modern Events Calendar Lite

Plugin:
Modern Events Calendar Lite
Installations:
100,000+
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
6.5.2
Severity Score:
Low
The vulnerability has been patched, so you should update to version 6.5.2.

Slide Anything

Plugin:
Slide Anything – Responsive Content / HTML Slider and Carousel
Installations:
100,000+
Vulnerability:
Editor+ Stored Cross-Site Scripting
Patched in Version:
2.3.44
Severity Score:
Low
The vulnerability has been patched, so you should update to version 2.3.44.

Multiple Plugins from Cool Plugins – Cool Timeline

Plugin:
Cool Timeline
Installations:
20,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
2.4
Severity Score:
High
The vulnerability has been patched, so you should update to version 2.4.

Popup by Supsystic

Plugin:
Popup by Supsystic
Installations:
20,000+
Vulnerability:
Unauthenticated Subscriber Email Addresses Disclosure
Patched in Version:
1.10.9
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.10.9.

Multiple Plugins from Cool Plugins – Cryptocurrency Widgets – Price Ticker & Coins List

Plugin:
Cryptocurrency Widgets – Price Ticker & Coins List
Installations:
10,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
2.5
Severity Score:
High
The vulnerability has been patched, so you should update to version 2.5.

Multiple Plugins from Cool Plugins – Events Shortcodes For The Events Calendar

Plugin:
Events Shortcodes For The Events Calendar
Installations:
10,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
2.0
Severity Score:
High
The vulnerability has been patched, so you should update to version 2.0.

Multiple Plugins from Cool Plugins – Cryptocurrency Donation Box – Bitcoin & Crypto Donations

Plugin:
Cryptocurrency Donation Box – Bitcoin & Crypto Donations
Installations:
5,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
1.8
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.8.

Multiple Plugins from Cool Plugins – Events Widgets For Elementor And The Events Calendar

Plugin:
Events Widgets For Elementor And The Events Calendar
Installations:
5,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
1.5
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.5.

Simple Ajax Chat

Plugin:
Simple Ajax Chat
Installations:
4,000+
Vulnerability:
Sensitive Information Disclosure; Log Clearing & Arbitrary Chat Message Deletion via CSRF
Patched in Version:
20220216
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 20220216.

Multiple Plugins from Cool Plugins – Event Single Page Templates Addon For The Events Calendar

Plugin:
Event Single Page Templates Addon For The Events Calendar
Installations:
3,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
1.6
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.6.

Multiple Plugins from Cool Plugins – Events Search For The Events Calendar

Plugin:
Events Search For The Events Calendar
Installations:
2,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
1.2
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.2.

RSFirewall

Plugin:
RSFirewall!
Installations:
2,000+
Vulnerability:
IP Block Bypass
Patched in Version:
1.1.25
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.1.25.

Multiple Plugins from Cool Plugins – Event Countdown For The Events Calendar

Plugin:
Event Countdown For The Events Calendar
Installations:
2,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
1.4
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.4.

Multiple Plugins from Cool Plugins -Cryptocurrency Widgets For Elementor

Plugin:
Cryptocurrency Widgets For Elementor
Installations:
1,000+
Vulnerability:
Subscriber+ Arbitrary Plugin Installation & Activation
Patched in Version:
1.3
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.3.

Ubigeo de Peru

Plugin:
Ubigeo de Perú para Woocommerce y WordPress
Installations:
1,000+
Vulnerability:
Unauthenticated SQLi
Patched in Version:
3.6.4
Severity Score:
High
The vulnerability has been patched, so you should update to version 3.6.4.

Order Listener for WooCommerce

Plugin:
Order Listener for WooCommerce – Play Sounds Instantly on New Orders
Installations:
1,000+
Vulnerability:
Unauthenticated SQLi
Patched in Version:
3.2.2
Severity Score:
High
The vulnerability has been patched, so you should update to version 3.2.2.

Personal Dictionary

Plugin:
Personal Dictionary
Installations:
30+
Vulnerability:
Unauthenticated SQLi
Patched in Version:
1.3.4
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.3.4.

Themify

Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
1.4.0
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.4.0.

Fancy Product Designer

Plugin:
Fancy Product Designer
Vulnerability:
Arbitrary File Upload via CSRF
Patched in Version:
4.7.6
Severity Score:
High
The vulnerability has been patched, so you should update to version 4.7.6.

MapSVG

Plugin:
MapSVG
Vulnerability:
Unauthenticated SQLi
Patched in Version:
6.2.20
Severity Score:
High
The vulnerability has been patched, so you should update to version 6.2.20.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

WP Maintenance

Plugin:
WP Maintenance
Installations:
30,000+
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched. You should deactivate the plugin.

WP Social Buttons

Plugin:
WP Social Buttons
Installations:
400+
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched. You should deactivate the plugin.

IgniteUp

Plugin:
IgniteUp – Coming Soon and Maintenance Mode
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched. You should deactivate the plugin.

BadgeOS

Plugin:
BadgeOS
Vulnerability:
Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched. You should deactivate the plugin.

KB Support

Plugin:
KB Support – WordPress Help Desk
Vulnerability:
Unauthenticated Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched. You should deactivate the plugin.

CalderaWP License Manager

Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Admin Menu Editor

Plugin:
Admin Menu Editor
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Product Filter For WooCommerce Product

Plugin:
Product Filter For WooCommerce Product
Vulnerability:
Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched. You should deactivate the plugin.

SEMA API

Plugin:
SEMA API
Vulnerability:
Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched. You should deactivate the plugin.

Easily Generate Rest API Url

Plugin:
Easily Generate Rest API Url
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched. You should deactivate the plugin.
Plugin:
WP Video Gallery
Vulnerability:
Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: