Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – December 14, 2022

Written by iThemes Editorial Team on December 14, 2022

Last Updated on January 3, 2023

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the December 14, 2022 Report
  • The Future of Authentication is Passkeys! Login to your WordPress site with Biometrics only available in iThemes Security Pro
  • WordPress Core News
    • WP
  • WordPress Plugin Vulnerabilities
    • White Label CMS
    • iubenda
    • Custom Field Template
    • Team Members
    • WP Custom Admin Interface
    • Image Hover Effects Ultimate
    • WP-Ban
    • All-in-One Addons for Elementor – WidgetKit
    • Authenticator
    • BookingPress
    • WP Smart Import
    • Image Optimizer, Resizer and CDN
    • WordPress Filter Gallery Plugin
    • WP-Lister Lite for Amazon
    • Joy Of Text Lite
    • Build App Online
    • Wholesale Market
    • Visual Email Designer for WooCommerce
    • Login with Cognito
    • YITH WooCommerce Gift Cards
    • WP Cerber
    • WPQA
    • Wholesale Market for WooCommerce
  • WordPress Plugin Vulnerabilities – No Known Fix
    • WP User
    • Quote-O-Matic
    • Qe SEO Handyman
    • WP AutoComplete Search
    • Product list Widget for Woocommerce
    • Web Invoice
    • Cryptocurrency Widgets Pack
    • LetsRecover
    • WP Social Sharing
    • Multimedial Images
    • WP RSS By Publishers
  • WordPress Theme Vulnerabilities
    • Superio – Job Board
    • WPQA – Himer
    • WPQA – Discy
  • The Best WordPress Security Plugin to Secure & Protect WordPress Sites

The Future of Authentication is Passkeys! Login to your WordPress site with Biometrics only available in iThemes Security Pro

The problems of brute force attacks through credential stuffing, phishing attacks, and reused passwords have made our digital lives less secure. We’ve all tried to encourage 2-factor authentication as a protection, but less than 30% of users actually use 2FA. Password-based logins are a problem.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

WP

Vulnerability
Unauthenticated Blind SSRF via DNS Rebinding
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-3590
The vulnerability has not been patched.

This vulnerability was reported by Thomas Chauchefoin, and at this time, it affects all versions of WordPress. However, probable exploitation of this vulnerability is very low, and to fully protect yourself, all you’ll need to do is turn off XML-RPC or pingbacks on your WordPress site.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

White Label CMS

Product image for White Label CMS.
Plugin
White Label CMS
Plugin Slug
white-label-cms
Installations
200,000+
Vulnerability
Admin+ PHP Object Injection
Patched in Version
2.5
Severity Score
Low
CVE
2022-4302
The vulnerability has been patched, so you should update to version 2.5.

iubenda

Product image for iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more.
Plugin
iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more
Plugin Slug
iubenda-cookie-law-solution
Installations
100,000+
Vulnerability
Subscriber+ Privileges Escalation to Admin
Patched in Version
3.3.3
Severity Score
High
CVE
2022-3911
The vulnerability has been patched, so you should update to version 3.3.3.

Custom Field Template

Product image for Custom Field Template.
Plugin
Custom Field Template
Plugin Slug
custom-field-template
Installations
50,000+
Vulnerability
Admin+ PHP Object Injection
Patched in Version
2.5.8
Severity Score
Low
CVE
2022-4324
The vulnerability has been patched, so you should update to version 2.5.8.

Team Members

Product image for Team Members.
Plugin
Team Members
Plugin Slug
team-members
Installations
40,000+
Vulnerability
Editor+ Stored XSS
Patched in Version
5.2.1
Severity Score
Low
CVE
2022-3936
The vulnerability has been patched, so you should update to version 5.2.1.

WP Custom Admin Interface

Product image for WP Custom Admin Interface.
Plugin
WP Custom Admin Interface
Plugin Slug
wp-custom-admin-interface
Installations
30,000+
Vulnerability
Admin+ PHP Object Injection
Patched in Version
7.29
Severity Score
Medium
CVE
2022-4043
The vulnerability has been patched, so you should update to version 7.29.

Image Hover Effects Ultimate

Product image for Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier).
Plugin
Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
Plugin Slug
image-hover-effects-ultimate
Installations
20,000+
Vulnerability
Admin+ Stored XSS
Patched in Version
9.8.5
Severity Score
Low
CVE
2022-4207
The vulnerability has been patched, so you should update to version 9.8.5.

WP-Ban

Product image for WP-Ban.
Plugin
WP-Ban
Plugin Slug
wp-ban
Installations
10,000+
Vulnerability
Admin+ Stored XSS
Patched in Version
1.69.1
Severity Score
Low
CVE
2022-4260
The vulnerability has been patched, so you should update to version 1.69.1.

All-in-One Addons for Elementor – WidgetKit

Product image for All-in-One Addons for Elementor – WidgetKit.
Plugin
All-in-One Addons for Elementor – WidgetKit
Plugin Slug
widgetkit-for-elementor
Installations
10,000+
Vulnerability
Admin+ Stored XSS
Patched in Version
2.4.4
Severity Score
Low
CVE
2022-4256
The vulnerability has been patched, so you should update to version 2.4.4.

Authenticator

Plugin
Authenticator
Plugin Slug
authenticator
Installations
3,000+
Vulnerability
Subscriber+ Denial of Service via Feed Token Disclosure
Patched in Version
1.3.1
Severity Score
Medium
CVE
2022-3994
The vulnerability has been patched, so you should update to version 1.3.1.

BookingPress

Product image for BookingPress – Appointments Booking Calendar Plugin and Online Scheduling Plugin.
Plugin
BookingPress – Appointments Booking Calendar Plugin and Online Scheduling Plugin
Plugin Slug
bookingpress-appointment-booking
Installations
3,000+
Vulnerability
Unauthenticated IDOR in appointment_id
Patched in Version
1.0.31
Severity Score
High
CVE
2022-4340
The vulnerability has been patched, so you should update to version 1.0.31.

WP Smart Import

Product image for WP Smart Import : Import any XML File to WordPress.
Plugin
WP Smart Import : Import any XML File to WordPress
Plugin Slug
wp-smart-import
Installations
2,000+
Vulnerability
Reflected Cross-Ste Scripting
Patched in Version
1.0.3
Severity Score
Medium
CVE
2022-40209
The vulnerability has been patched, so you should update to version 1.0.3.

Image Optimizer, Resizer and CDN

Product image for Image Optimizer, Resizer and CDN – Sirv.
Plugin
Image Optimizer, Resizer and CDN – Sirv
Plugin Slug
sirv
Installations
1,000+
Vulnerability
Admin+ Stored XSS
Patched in Version
6.8.1
Severity Score
Low
CVE
2022-4119
The vulnerability has been patched, so you should update to version 6.8.1.

WordPress Filter Gallery Plugin

Product image for WordPress Filter Gallery Plugin.
Plugin
WordPress Filter Gallery Plugin
Plugin Slug
filter-gallery
Installations
1,000+
Vulnerability
Admin+ Stored XSS
Patched in Version
0.1.6
Severity Score
Low
CVE
2022-4142
The vulnerability has been patched, so you should update to version 0.1.6.

WP-Lister Lite for Amazon

Product image for WP-Lister Lite for Amazon.
Plugin
WP-Lister Lite for Amazon
Plugin Slug
wp-lister-for-amazon
Installations
1,000+
Vulnerability
Reflected XSS
Patched in Version
2.4.4
Severity Score
High
CVE
2022-4369
The vulnerability has been patched, so you should update to version 2.4.4.

Joy Of Text Lite

Plugin
Joy Of Text Lite – SMS messaging for WordPress.
Plugin Slug
joy-of-text
Installations
900+
Vulnerability
Unauthenticated SQLi
Patched in Version
2.3.1
Severity Score
High
CVE
2022-4099
The vulnerability has been patched, so you should update to version 2.3.1.

Build App Online

Product image for Build App Online.
Plugin
Build App Online
Plugin Slug
build-app-online
Installations
900+
Vulnerability
Unauthenticated SQL Injection
Patched in Version
1.0.19
Severity Score
High
CVE
2022-3241
The vulnerability has been patched, so you should update to version 1.0.19.

Wholesale Market

Product image for Wholesale Market.
Plugin
Wholesale Market
Plugin Slug
wholesale-market
Installations
600+
Vulnerability
Unauthenticated Arbitrary File Download
Patched in Version
2.2.1
Severity Score
High
CVE
2022-4298
The vulnerability has been patched, so you should update to version 2.2.1.

Visual Email Designer for WooCommerce

Product image for Visual Email Designer for WooCommerce.
Plugin
Visual Email Designer for WooCommerce
Plugin Slug
email-customizer-woocommerce
Installations
100+
Vulnerability
Multiple Author+ SQLi
Patched in Version
1.7.2
Severity Score
Medium
CVE
2022-3860
The vulnerability has been patched, so you should update to version 1.7.2.

Login with Cognito

Product image for Login with Cognito.
Plugin
Login with Cognito
Plugin Slug
login-with-cognito
Installations
60+
Vulnerability
Admin+ Stored XSS
Patched in Version
1.4.9
Severity Score
Low
CVE
2022-4200
The vulnerability has been patched, so you should update to version 1.4.9.

YITH WooCommerce Gift Cards

Plugin
YITH WooCommerce Gift Cards
Plugin Slug
yith-woocommerce-gift-cards-premium
Vulnerability
Unauthenticated Arbitrary File Upload
Patched in Version
3.20.0
Severity Score
Critical
CVE
2022-45359
The vulnerability has been patched, so you should update to version 3.20.0.

WP Cerber

Plugin
WP Cerber Security, Anti-spam & Malware Scan
Plugin Slug
wp-cerber
Vulnerability
User Enumeration Bypass via Rest API
Patched in Version
9.3.3
Severity Score
Low
CVE
2022-4417
The vulnerability has been patched, so you should update to version 9.3.3.

WPQA

Plugin
WPQA Builder
Plugin Slug
wpqa
Vulnerability
Missing validation lead to functionality abuse
Patched in Version
5.9.3
Severity Score
Low
CVE
2022-3343
The vulnerability has been patched, so you should update to version 5.9.3.

Wholesale Market for WooCommerce

Plugin
Wholesale Market for WooCommerce
Plugin Slug
wholesale-market-for-woocommerce
Vulnerability
Admin+ Arbitrary Log Download
Patched in Version
2.0.0
Severity Score
Medium
CVE
2022-4109
The vulnerability has been patched, so you should update to version 2.0.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

WP User

Plugin
WP User – Custom Registration Forms, Login and User Profile
Plugin Slug
wp-user
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
CVE
2022-4049
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Quote-O-Matic

Plugin
Quote-O-Matic
Plugin Slug
quote-o-matic
Vulnerability
Admin+ SQLi
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-4373
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Qe SEO Handyman

Plugin
Qe SEO Handyman
Plugin Slug
qe-seo-handyman
Vulnerability
Admin+ SQLi
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-4351
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP AutoComplete Search

Plugin
WP AutoComplete Search
Plugin Slug
wp-autosearch
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
CVE
2022-4297
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Product list Widget for Woocommerce

Plugin
Product list Widget for Woocommerce
Plugin Slug
gm-woo-product-list-widget
Vulnerability
Reflected XSS
Patched in Version
No Fix
Severity Score
High
CVE
2022-4329
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Web Invoice

Plugin
Web Invoice – Invoicing and billing for WordPress
Plugin Slug
web-invoice
Vulnerability
Authenticated SQLi; Authenticated SQLi
Patched in Version
No Fix
Severity Score
High
CVE
2022-4372
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Cryptocurrency Widgets Pack

Plugin
Cryptocurrency Widgets Pack
Plugin Slug
cryptocurrency-widgets-pack
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
CVE
2022-4059
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

LetsRecover

Plugin
LetsRecover – WooCommerce Abandoned Cart Notifications
Plugin Slug
letsrecover-woocommerce-abandoned-cart
Vulnerability
Admin+ SQLi; Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-4355
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Social Sharing

Plugin
WP Social Sharing
Plugin Slug
wp-social-sharing
Vulnerability
Admin+ Stored XSS
Patched in Version
No Fix
Severity Score
Low
CVE
2022-4198
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Multimedial Images

Plugin
multimedial images
Plugin Slug
multimedial-images
Vulnerability
Admin+ SQLi
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-4370
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP RSS By Publishers

Plugin
WP RSS By Publishers
Plugin Slug
wp-rss-by-publishers
Vulnerability
Admin+ SQLi
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-4358
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Superio – Job Board

Theme
Superio
Theme Slug
superio
Vulnerability
Subscriber+ Stored Cross-Site Scripting
Patched in Version
1.2.33
Severity Score
Low
CVE
2022-4114
The vulnerability has been patched, so you should update to version 1.2.33.

WPQA – Himer

Theme
Himer
Theme Slug
himer
Vulnerability
Missing validation lead to functionality abuse
Patched in Version
No Fix
Severity Score
Low
CVE
2022-3343
The vulnerability has not been patched. You should switch themes.

WPQA – Discy

Theme
Discy
Theme Slug
discy
Vulnerability
Missing validation lead to functionality abuse
Patched in Version
No Fix
Severity Score
Low
CVE
2022-3343
The vulnerability has not been patched. You should switch themes.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the WPScan Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

iThemes Team
iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
A security-riddled computer monitor. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – January 25, 2023
Turnstile and hCaptcha
New Turnstile and hCaptcha Support in Security Pro 7.3
WordPress vulnerability report
WordPress Vulnerability Report – January 18, 2023
clickjacking
What is Clickjacking and How to Prevent it

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Visit StellarWP Visit Nexcess
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.