Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: December 2021, Part 3

Written by iThemes Editorial Team on December 15, 2021

Last Updated on December 15, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

Contents of the December 15, 2021 Report
  • WordPress News
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • 1. Elementor
    • 2. UpdraftPlus
    • 3. WooCommerce PDF Invoices & Packing Slips
    • 4. PublishPress Capabilities
    • 5. Chaty Free
    • 6. PowerPack Addons for Elementor
    • 7. Booking Calendar
    • 8. 10Web Social Photo Feed
    • 9. Site Reviews 
    • 10. Speed Booster Pack 
    • 11. Multivendor Marketplace Solution for WooCommerce
    • 12. Modal Window
    • 13. WP Coder
    • 14. RegistrationMagic
    • 15. Events Made Easy
    • 16. Button Generator
    • 17. Tab – Accordion, FAQ
    • 18. Stars Rating
    • 19. WPcalc 
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Security Monitoring
Want this report delivered to your inbox each week?
Subscribe to the weekly email

WordPress News

As the busiest online shopping time of the year is in full swing, cybercriminals have been busy with attempts to “hack the planet.” Wordfence recently reported a massive wave of attacks that targeted 1.6 million WordPress sites over the course of just 36 hours!

Finally, BleepingComputer recently reported that hackers have been installing skimmer code into random plugins. To tighten security for e-commerce sites, we recommend requiring two-factor authentication for all admin users, activating trusted devices, file change detection, and that WordPress security logs be read and reviewed regularly.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

1. Elementor

Plugin: Elementor 
Vulnerability: DOM Cross-Site-Scripting
Active Installation: 5+ million
Patched in Version: 3.4.8
Severity Score: High

The vulnerability is patched, so you should update to version 3.4.8.

2. UpdraftPlus

Plugin: UpdraftPlus 
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.16.66
Severity Score: High

The vulnerability is patched, so you should update to version 1.16.66.

3. WooCommerce PDF Invoices & Packing Slips

Plugin: WooCommerce PDF Invoices & Packing Slips 
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 300,000+
Patched in Version: 2.10.5
Severity Score: High

The vulnerability is patched, so you should update to version 2.10.5.

4. PublishPress Capabilities

Plugin: PublishPress Capabilities 
Vulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise
Active Installation: 100,000+
Patched in Version: 2.3.1
Severity Score: Critical

The vulnerability is patched, so you should update to version 2.3.1.

Plugin: PublishPress Capabilities Pro
Vulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise
Patched in Version: 2.3.1
Severity Score: Critical

The vulnerability is patched, so you should update to version 2.3.1.

5. Chaty Free

Plugin: Chaty Free 
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 2.8.3
Severity Score: High

The vulnerability is patched, so you should update to version 2.8.3.

Plugin: Chaty Pro 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.8.2
Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.

6. PowerPack Addons for Elementor

Plugin: PowerPack Addons for Elementor
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 60,000+
Patched in Version: 2.6.2
Severity Score: High

The vulnerability is patched, so you should update to version 2.6.2.

7. Booking Calendar

Plugin: Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 60,000+
Patched in Version: 8.9.2
Severity Score: High

The vulnerability is patched, so you should update to version 8.9.2.

8. 10Web Social Photo Feed

Plugin: 10Web Social Photo Feed 
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 60,000+
Patched in Version: 1.4.29
Severity Score: High

The vulnerability is patched, so you should update to version 1.4.29.

9. Site Reviews 

Plugin: Site Reviews 
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 5.17.3
Severity Score: High

The vulnerability is patched, so you should update to version 5.17.3.

10. Speed Booster Pack 

Plugin: Speed Booster Pack 
Vulnerability: Admin+ SQL Injection
Active Installation: 30,000+
Patched in Version: 4.3.3.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.3.3.1.

11. Multivendor Marketplace Solution for WooCommerce

Plugin: Multivendor Marketplace Solution for WooCommerce
Vulnerability: Unauthenticated AJAX Calls
Active Installation: 10,000+
Patched in Version: 3.8.4
Severity Score: High

The vulnerability is patched, so you should update to version 3.8.4.

12. Modal Window

Plugin: Modal Window
Vulnerability: RFI leading to RCE via CSRF
Active Installation: 10,000+
Patched in Version: 5.2.2
Severity Score: High

The vulnerability is patched, so you should update to version 5.2.2.

13. WP Coder

Plugin: WP Coder
Vulnerability: RFI leading to RCE via CSRF
Active Installation: 10,000+
Patched in Version: 2.5.2
Severity Score: High

The vulnerability is patched, so you should update to version 2.5.2.

14. RegistrationMagic

Plugin: RegistrationMagic
Vulnerability: Admin+ SQL Injection
Active Installation: 10,000+
Patched in Version: 5.0.1.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 5.0.1.6.

Plugin: RegistrationMagic
Vulnerability: Authentication Bypass
Active Installation: 10,000+
Patched in Version: 5.0.1.8
Severity Score: Critical

The vulnerability is patched, so you should update to version 5.0.1.8.

15. Events Made Easy

Plugin: Events Made Easy
Vulnerability: Subscriber+ SQL Injection
Active Installation: 6,000+
Patched in Version: 2.2.36
Severity Score: High

The vulnerability is patched, so you should update to version 2.2.36.

16. Button Generator

Plugin: Button Generator
Vulnerability: RFI leading to RCE via CSRF
Active Installation: 5,000+
Patched in Version: 2.3.3
Severity Score: High

The vulnerability is patched, so you should update to version 2.3.3.

17. Tab – Accordion, FAQ

Plugin: Tab – Accordion, FAQ
Vulnerability: Unauthenticated AJAX Calls
Active Installation: 2000+
Patched in Version: 1.3.2
Severity Score: Critical

The vulnerability is patched, so you should update to version 1.3.2.

18. Stars Rating

Plugin: Stars Rating
Vulnerability: Comments Denial of Service
Active Installation: 800+
Patched in Version: 3.5.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.2.

19. WPcalc 

Plugin: WPcalc 
Vulnerability: Authenticated SQL Injection
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of December 9, 2021. Uninstall and delete.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Activate File Change Detection

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices
  • reCAPTCHA
  • Brute force protection
  • Two-factor authentication
  • Magic login links
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

iThemes Team
iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
ip hack
What is an IP Hack?
Patchstack 2022 WordPress Security Review
The State of WordPress Security: Community and Collaboration Help Us All Win
wordpress-vulnerability-report
WordPress Vulnerability Report – March 8, 2023
denial of service
What is a Denial of Service (DoS)?

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.