Menu
iThemes
WordPress Security, Backups & Maintenance
WordPress News and Updates from iThemes
Categories

WordPress Vulnerability Report – April 6, 2022

Written by on

Last Updated on April 6, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Advanced Custom Fields

Product image for Advanced Custom Fields .
Plugin
Advanced Custom Fields
Installations
2,000,000+
Vulnerability
Contributor+ Database Information Access
Patched in Version
5.12.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.12.1.

Anti-Malware Security and Brute-Force Firewall

Product image for Anti-Malware Security and Brute-Force Firewall.
Plugin
Anti-Malware Security and Brute-Force Firewall
Installations
200,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
4.20.96
Severity Score
Low
The vulnerability has been patched, so you should update to version 4.20.96.

Spam protection, AntiSpam, FireWall by CleanTalk

Product image for Spam protection, AntiSpam, FireWall by CleanTalk.
Plugin
Spam protection, AntiSpam, FireWall by CleanTalk
Installations
100,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
5.174.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.174.1.

Quick Adsense

Product image for Quick Adsense.
Plugin
Quick Adsense
Installations
70,000+
Vulnerability
Subscriber+ Post Stats Reset
Patched in Version
2.8.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.8.2.

wpDataTables

Product image for wpDataTables – Tables & Table Charts.
Plugin
wpDataTables – Tables & Table Charts
Installations
60,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
2.1.28
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.1.28.

Animate It!

Product image for Animate It!.
Plugin
Animate It!
Installations
40,000+
Vulnerability
Contributor+ Stored Cross-Site Scripting
Patched in Version
2.4.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.4.0.

ThirstyAffiliates Affiliate Link Manager

Product image for ThirstyAffiliates Affiliate Link Manager.
Plugin
ThirstyAffiliates Affiliate Link Manager
Installations
40,000+
Vulnerability
Subscriber+ Arbitrary Affiliate Links Creation; Subscriber+ unauthorized image upload + CSRF
Patched in Version
3.10.5
Severity Score
Low
The vulnerability has been patched, so you should update to version 3.10.5.

Weblizar Pin It Button On Image Hover And Post

Product image for Weblizar Pin It Button On Image Hover And Post.
Plugin
Weblizar Pin It Button On Image Hover And Post
Installations
30,000+
Vulnerability
Subscriber+ Arbitrary Settings Update
Patched in Version
3.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.4.

Mycred

Product image for myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin.
Plugin
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
Installations
20,000+
Vulnerability
Subscriber+ User E-mail Addresses Disclosure; Subscriber+ Import/Export to Email Address Disclosure; Subscriber+ Arbitrary Post Creation
Patched in Version
2.4.4.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.4.4.1.

Social comments by WpDevArt

Product image for Social comments by WpDevArt.
Plugin
Social comments by WpDevArt
Installations
20,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
2.5.0
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.5.0.

Donorbox

Plugin
Donorbox – Free Recurring Donation Form
Installations
9,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
7.1.7
Severity Score
Low
The vulnerability has been patched, so you should update to version 7.1.7.

WP YouTube Live

Product image for WP YouTube Live.
Plugin
WP YouTube Live
Installations
3,000+
Vulnerability
Authenticated Reflected Cross-Site Scripting
Patched in Version
1.7.22
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.7.22.

Menubar

Plugin
Menubar
Installations
3,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
5.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.8.

Amr Users

Product image for amr users.
Plugin
amr users
Installations
2,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
4.59.4
Severity Score
Low
The vulnerability has been patched, so you should update to version 4.59.4.

Opensea

Product image for Opensea.
Plugin
Opensea
Installations
1,000+
Vulnerability
Admin+ Stored XSS
Patched in Version
1.0.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.0.3.

Page Restriction WordPress

Product image for Page Restriction WordPress (WP) – Protect WP Pages/Post.
Plugin
Page Restriction WordPress (WP) – Protect WP Pages/Post
Installations
600+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.2.7
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.2.7.

Be POPIA Compliant

Plugin
Be POPIA Compliant
Installations
20+
Vulnerability
Unauthenticated Sensitive Information Exposure
Patched in Version
1.1.6
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.6.

5 Stars Rating Funnel

Product image for 5 Stars Rating Funnel WordPress Plugin | RRatingg.
Plugin
5 Stars Rating Funnel WordPress Plugin | RRatingg
Installations
10+
Vulnerability
Unauthenticated SQLi
Patched in Version
1.2.53
Severity Score
High
The vulnerability has been patched, so you should update to version 1.2.53.

Flo Launch

Plugin
Vulnerability
Missing Authentication Allow Full Site Takeover
Patched in Version
2.4.1
Severity Score
Critical
The vulnerability has been patched, so you should update to version 2.4.1.

uDraw

Plugin
Web To Print Shop : uDraw
Vulnerability
Unauthenticated Arbitrary File Access
Patched in Version
3.3.3
Severity Score
High
The vulnerability has been patched, so you should update to version 3.3.3.

LayerSlider

Plugin
Layer Slider
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
7.1.2
Severity Score
Low
The vulnerability has been patched, so you should update to version 7.1.2.

English WordPress Admin

Plugin
English WordPress Admin
Vulnerability
Unauthenticated Open Redirect
Patched in Version
1.5.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.5.2.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

ULeak Security & Monitoring

Plugin
ULeak Security & Monitoring Plugin
Vulnerability
Subscriber+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Cab fare calculator

Product image for Cab fare calculator.
Plugin
Cab fare calculator
Installations
100+
Vulnerability
Unauthenticated LFI
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Videos sync PDF

Product image for Videos sync PDF.
Plugin
Videos sync PDF
Installations
10+
Vulnerability
Unauthenticated LFI
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Nimble Page Builder

Plugin
Nimble Page Builder
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Books & Papers

Plugin
Books & Papers
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

Clipr

Product image for Clipr.
Plugin
Clipr
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

Donations

Plugin
Donations
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Master Elements

Plugin
Master Elements
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
Critical
The vulnerability has not been patched. You should deactivate the plugin.

Users Ultra

Plugin
Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin
Vulnerability
Unauthenticated SQL Injection
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Page Visit Counter

Plugin
Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin
Vulnerability
Subscriber+ Blind SQL injection
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

DW Question & Answer Pro

Plugin
DW Question Answer Pro
Vulnerability
Multiple CSRF; Arbitrary Comment Edition via IDOR
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Testimonial Slider

Plugin
Testimonial Slider – Free Testimonials Slider Plugin
Vulnerability
Contributor+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • Good news! No new WordPress theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

Other related posts
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – February 22, 2023
botnets
Botnets: What are They and How do They Operate
wordpress vulnerability report - security
WordPress Vulnerability Report – February 15, 2023
WordPress Security Recommendations
Top 10 WordPress Security Recommendations
Copy link
CopyCopied
Powered by Social Snap