Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: December 2021, Part 5

Written by Michael Moore on December 29, 2021

Last Updated on December 29, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the December 22, 2021 Report
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • 1. Contact Form 7 Database Addon
    • 2. Easy Forms for Mailchimp
    • 3. Relevanssi – A Better Search
    • 4. Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
    • 5. Product Feed PRO for WooCommerce
    • 6. Post Grid
    • 7. Contact Form Entries
    • 8. Event Tickets
    • 9. Advanced Custom Fields: Extended
    • 10. Accept Donations with PayPal
    • 11. ACF Photo Gallery Field
    • 12. Simple Download Monitor
    • 13. Protect WP Admin
    • 14. Backup and Staging by WP Time Capsule
    • 15. Event Calendar
    • 16. Five Star Restaurant Reservations 
    • 17. Asgaros Forum
    • 18. WP125
    • 19. Affiliates Manager
    • 20. Smart SEO Tool 
    • 21. tarteaucitron.js – Cookies legislation & GDPR
    • 22. SEO Booster
    • 23. Booking.com Banner Creator
    • 24. Profile Extra Fields
    • 25. Booking.com Product Helper
    • 26. SEUR Oficial
    • 27. Spreadsheet Integration
    • 28. ClickBank Affiliate Ads
    • 29. Stetic
    • 30. Mobile Events Manager
  • WordPress Plugin Vulnerabilities: No Known Fix
    • 31. AnyComment 
  • WordPress Plugin Vulnerabilities: Plugin Closed
    • 32. Tabs
    • 33. Shortcode Addons
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with Site Scanning
Want this report delivered to your inbox each week?
Subscribe to the weekly email

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

1. Contact Form 7 Database Addon

Plugin: Contact Form 7 Database Addon
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 400,000+
Patched in Version: 1.2.6.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.6.2.

Plugin: Contact Form 7 Database Addon
Vulnerability: Arbitrary Form Deletion via CSRF
Active Installation: 400,000+
Patched in Version: 1.2.6.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.6.2.

2. Easy Forms for Mailchimp

Plugin: Easy Forms for Mailchimp
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 6.8.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.8.6.

3. Relevanssi – A Better Search

Plugin: Relevanssi – A Better Search
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 4.14.3
Severity Score: High

The vulnerability is patched, so you should update to version 4.14.3.

4. Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 90,000+
Patched in Version: 3.1.25
Severity Score: High

The vulnerability is patched, so you should update to version 3.1.25.

5. Product Feed PRO for WooCommerce

Plugin: Product Feed PRO for WooCommerce
Vulnerability: Subscriber+ Settings Update to Stored XSS
Active Installation: 80,000+
Patched in Version: 11.0.7
Severity Score: High

The vulnerability is patched, so you should update to version 11.0.7.

6. Post Grid

Plugin: Post Grid
Vulnerability: Contributor+ SQL Injection
Active Installation: 60,000+
Patched in Version: 2.1.13
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.13.

7. Contact Form Entries

Plugin: Contact Form Entries
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.2.4
Severity Score: High

The vulnerability is patched, so you should update to version 1.2.4.

8. Event Tickets

Plugin: Event Tickets
Vulnerability: Open Redirect
Active Installation: 40,000+
Patched in Version: 5.2.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 5.2.2.

9. Advanced Custom Fields: Extended

Plugin: Advanced Custom Fields: Extended
Vulnerability: Admin+ SQL Injection
Active Installation: 40,000+
Patched in Version: 0.8.8.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 0.8.8.7.

10. Accept Donations with PayPal

Plugin: Accept Donations with PayPal
Vulnerability: Arbitrary Post Deletion via CSRF
Active Installation: 30,000+
Patched in Version: 1.3.4
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.4.

11. ACF Photo Gallery Field

Plugin: ACF Photo Gallery Field
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 30,000+
Patched in Version: 1.7.5
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.5.

12. Simple Download Monitor

Plugin: Simple Download Monitor
Vulnerability: Multiple CSRF
Active Installation: 30,000+
Patched in Version: 3.9.11
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.9.11.

13. Protect WP Admin

Plugin: Protect WP Admin
Vulnerability: Unauthenticated Plugin Deactivation
Active Installation: 30,000+
Patched in Version: 3.6.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.6.2.

14. Backup and Staging by WP Time Capsule

Plugin: Backup and Staging by WP Time Capsule
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 1.22.7
Severity Score: High

The vulnerability is patched, so you should update to version 1.22.7.

15. Event Calendar

Plugin: Event Calendar
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 1.1.51
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.51.

Plugin: Event Calendar
Vulnerability: Subscriber+ Event Creation
Active Installation: 20,000+
Patched in Version: 1.1.51
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.51.

16. Five Star Restaurant Reservations 

Plugin: Five Star Restaurant Reservations 
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 2.4.8
Severity Score: High

The vulnerability is patched, so you should update to version 2.4.8.

17. Asgaros Forum

Plugin: Asgaros Forum
Vulnerability: Admin+ SQL Injection via forum_id
Active Installation: 20,000+
Patched in Version: 1.15.15
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.15.15.

18. WP125

Plugin: WP125
Vulnerability: Arbitrary Ad Deletion via CSRF
Active Installation: 10,000+
Patched in Version: 1.5.5
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.5.

19. Affiliates Manager

Plugin: Affiliates Manager
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.9.0
Severity Score: High

The vulnerability is patched, so you should update to version 2.9.0.

20. Smart SEO Tool 

Plugin: Smart SEO Tool 
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 9,000+
Patched in Version: 3.0.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.6.

21. tarteaucitron.js – Cookies legislation & GDPR

Plugin: tarteaucitron.js – Cookies legislation & GDPR
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 7,000+
Patched in Version: 1.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.

Plugin: tarteaucitron.js – Cookies legislation & GDPR
Vulnerability: Admin + Stored Cross-Site Scripting
Active Installation: 7,000+
Patched in Version: 1.6.1
Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.1.

22. SEO Booster

Plugin: SEO Booster
Vulnerability: Admin+ SQL Injection
Active Installation: 4,000+
Patched in Version: 3.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.8.

23. Booking.com Banner Creator

Plugin: Booking.com Banner Creator
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 3,000+
Patched in Version: 1.4.3
Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.3.

24. Profile Extra Fields

Plugin: Profile Extra Fields
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 2,000+
Patched in Version: 1.2.4
Severity Score: High

The vulnerability is patched, so you should update to version 1.2.4.

25. Booking.com Product Helper

Plugin: Booking.com Product Helper
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 2,000+
Patched in Version: 1.0.2
Severity Score: Low

The vulnerability is patched, so you should update to version 1.0.2.

26. SEUR Oficial

Plugin: SEUR Oficial
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 1,000+
Patched in Version: 1.7.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.0.

27. Spreadsheet Integration

Plugin: Spreadsheet Integration
Vulnerability: CSRF Bypass
Active Installation: 1,000+
Patched in Version: 3.6.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.6.0.

Plugin: Spreadsheet Integration
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 1,000+
Patched in Version: 3.6.0
Severity Score: High

The vulnerability is patched, so you should update to version 3.6.0.

28. ClickBank Affiliate Ads

Plugin: ClickBank Affiliate Ads
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 700+
Patched in Version: 1.35
Severity Score: Low

The vulnerability is patched, so you should update to version 1.35.

Plugin: ClickBank Affiliate Ads
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 700+
Patched in Version: 1.35
Severity Score: High

The vulnerability is patched, so you should update to version 1.35.

29. Stetic

Plugin: Stetic
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 300+
Patched in Version: 1.0.9
Severity Score: High

The vulnerability is patched, so you should update to version 1.0.9.

30. Mobile Events Manager

Plugin: Mobile Events Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 20+
Patched in Version: 1.4.4
Severity Score: Low

The vulnerability is patched, so you should update to version 1.4.4.

WordPress Plugin Vulnerabilities: No Known Fix

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.

31. AnyComment 

Plugin: AnyComment 
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 4,000+
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

WordPress Plugin Vulnerabilities: Plugin Closed

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.

32. Tabs

Plugin: Tabs 
Vulnerability: Unauthenticated Arbitrary Option Update
Patched in Version: 3.6.0 – plugin closed
Severity Score: Critical

This vulnerability has been patched. This plugin has been closed as of December 20, 2021. Uninstall and delete.

33. Shortcode Addons

Plugin: Shortcode Addons
Vulnerability: Unauthenticated Arbitrary Option Update
Patched in Version: 3.1.0 – plugin closed
Severity Score: Critical

This vulnerability has been patched. This plugin has been closed as of December 20, 2021. Uninstall and delete.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from the weekly WordPress Vulnerability Report, many new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Activate File Change Detection

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with Site Scanning

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices
  • reCAPTCHA
  • Brute force protection
  • Privilege escalation
  • Compromised passwords check & refusal

Save 35% Off iThemes Security Pro Through Dec. 31

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
WordPress Vulnerability Report
WordPress Vulnerability Report – August 3, 2022
WordPress Vulnerability Report
WordPress Vulnerability Report – July 27, 2022
Error Establishing a Database Connection Message
How to Fix The “Error Establishing a Database Connection” Message On Your Website
wordpress vulnerability report
WordPress Vulnerability Report – July 20, 2022

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

[class^="wpforms-"]
[class^="wpforms-"]
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.