Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. This report covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.
WordPress Core Vulnerabilities
WordPress 5.7.1 was released on April 15, 2021. This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release of WordPress core, it is recommended that you update your sites immediately!
WordPress Plugin Vulnerabilities
1. Accordion
Vulnerability: Authenticated Reflected Cross-Site Scripting
Patched in Version: 2.2.30
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
2. RSS for Yandex Turbo
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 1.30
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
3. Kaswara Modern VC Addons
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4. WP Content Copy Protection & No Right Click
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 3.4
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 3.5.1
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
5. Conditional Marketing Mailer for WooCommerce
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 1.6
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 1.5.2
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
6. Captchinoo, Google recaptcha for admin login page
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7. WP Maintenance Mode & Site Under Construction
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8. Tree Sitemap
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9. Login Protection – Limit Failed Login Attempts
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
10. Visitor Traffic Real Time Statistics
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 2.13
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 2.12
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
11. Login as User or Customer
Vulnerability: Arbitrary Plugin Installation/Activation via CSRF
Patched in Version: 2.1
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability: Arbitrary Plugin Installation/Activation via Low Privilege User
Patched in Version: 1.8
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
12. Redirect 404 to Parent
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.1
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
13. Select All Categories and Taxonomies
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.2
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
14. Software License Manager
Vulnerability: CSRF to Stored XSS
Patched in Version: 4.4.6
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
15. Car Seller – Auto Classifieds Script
Vulnerability: Unauthenticated SQL Injection
Patched in Version: No known fix
Severity: Critical – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
16. Store Locator Plus
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
17. Happy Addons for Elementor Free & Pro
Vulnerability: Stored Cross-Site Scripting
Free Patched in Version: 2.24.0
Pro Patched in Version: 1.17.0
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
18. WP Fastest Cache
Vulnerability: Authenticated Arbitrary File Deletion via Path Traversal
Patched in Version: 0.9.1.7
Severity: Low – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
19. WPGraphQL
Vulnerability: Denial of Service
Patched in Version: No known fix
Severity: High – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
20. WooCommerce
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 5.2.0
Severity: Medium – CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
WordPress Theme Vulnerabilities
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
