Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
1. Contact Form 7 Database Addon
Plugin: Contact Form 7 Database Addon
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 400,000+
Patched in Version: 1.2.6.2
Severity Score: Medium
Plugin: Contact Form 7 Database Addon
Vulnerability: Arbitrary Form Deletion via CSRF
Active Installation: 400,000+
Patched in Version: 1.2.6.2
Severity Score: Medium
2. Easy Forms for Mailchimp
Plugin: Easy Forms for Mailchimp
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 6.8.6
Severity Score: Medium
3. Relevanssi – A Better Search
Plugin: Relevanssi – A Better Search
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 4.14.3
Severity Score: High
4. Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 90,000+
Patched in Version: 3.1.25
Severity Score: High
5. Product Feed PRO for WooCommerce
Plugin: Product Feed PRO for WooCommerce
Vulnerability: Subscriber+ Settings Update to Stored XSS
Active Installation: 80,000+
Patched in Version: 11.0.7
Severity Score: High
6. Post Grid
Plugin: Post Grid
Vulnerability: Contributor+ SQL Injection
Active Installation: 60,000+
Patched in Version: 2.1.13
Severity Score: Medium
7. Contact Form Entries
Plugin: Contact Form Entries
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.2.4
Severity Score: High
8. Event Tickets
Plugin: Event Tickets
Vulnerability: Open Redirect
Active Installation: 40,000+
Patched in Version: 5.2.2
Severity Score: Medium
9. Advanced Custom Fields: Extended
Plugin: Advanced Custom Fields: Extended
Vulnerability: Admin+ SQL Injection
Active Installation: 40,000+
Patched in Version: 0.8.8.7
Severity Score: Medium
10. Accept Donations with PayPal
Plugin: Accept Donations with PayPal
Vulnerability: Arbitrary Post Deletion via CSRF
Active Installation: 30,000+
Patched in Version: 1.3.4
Severity Score: High
11. ACF Photo Gallery Field
Plugin: ACF Photo Gallery Field
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 30,000+
Patched in Version: 1.7.5
Severity Score: Medium
12. Simple Download Monitor
Plugin: Simple Download Monitor
Vulnerability: Multiple CSRF
Active Installation: 30,000+
Patched in Version: 3.9.11
Severity Score: Medium
13. Protect WP Admin
Plugin: Protect WP Admin
Vulnerability: Unauthenticated Plugin Deactivation
Active Installation: 30,000+
Patched in Version: 3.6.2
Severity Score: Medium
14. Backup and Staging by WP Time Capsule
Plugin: Backup and Staging by WP Time Capsule
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 1.22.7
Severity Score: High
15. Event Calendar
Plugin: Event Calendar
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 1.1.51
Severity Score: High
Plugin: Event Calendar
Vulnerability: Subscriber+ Event Creation
Active Installation: 20,000+
Patched in Version: 1.1.51
Severity Score: Medium
16. Five Star Restaurant Reservations
Plugin: Five Star Restaurant Reservations
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 2.4.8
Severity Score: High
17. Asgaros Forum
Plugin: Asgaros Forum
Vulnerability: Admin+ SQL Injection via forum_id
Active Installation: 20,000+
Patched in Version: 1.15.15
Severity Score: Medium
18. WP125
Plugin: WP125
Vulnerability: Arbitrary Ad Deletion via CSRF
Active Installation: 10,000+
Patched in Version: 1.5.5
Severity Score: Medium
19. Affiliates Manager
Plugin: Affiliates Manager
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.9.0
Severity Score: High
20. Smart SEO Tool
Plugin: Smart SEO Tool
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 9,000+
Patched in Version: 3.0.6
Severity Score: Medium
21. tarteaucitron.js – Cookies legislation & GDPR
Plugin: tarteaucitron.js – Cookies legislation & GDPR
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 7,000+
Patched in Version: 1.6
Severity Score: Medium
Plugin: tarteaucitron.js – Cookies legislation & GDPR
Vulnerability: Admin + Stored Cross-Site Scripting
Active Installation: 7,000+
Patched in Version: 1.6.1
Severity Score: Low
22. SEO Booster
Plugin: SEO Booster
Vulnerability: Admin+ SQL Injection
Active Installation: 4,000+
Patched in Version: 3.8
Severity Score: Medium
23. Booking.com Banner Creator
Plugin: Booking.com Banner Creator
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 3,000+
Patched in Version: 1.4.3
Severity Score: Low
24. Profile Extra Fields
Plugin: Profile Extra Fields
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 2,000+
Patched in Version: 1.2.4
Severity Score: High
25. Booking.com Product Helper
Plugin: Booking.com Product Helper
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 2,000+
Patched in Version: 1.0.2
Severity Score: Low
26. SEUR Oficial
Plugin: SEUR Oficial
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 1,000+
Patched in Version: 1.7.0
Severity Score: Medium
27. Spreadsheet Integration
Plugin: Spreadsheet Integration
Vulnerability: CSRF Bypass
Active Installation: 1,000+
Patched in Version: 3.6.0
Severity Score: Medium
Plugin: Spreadsheet Integration
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 1,000+
Patched in Version: 3.6.0
Severity Score: High
28. ClickBank Affiliate Ads
Plugin: ClickBank Affiliate Ads
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 700+
Patched in Version: 1.35
Severity Score: Low
Plugin: ClickBank Affiliate Ads
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 700+
Patched in Version: 1.35
Severity Score: High
29. Stetic
Plugin: Stetic
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 300+
Patched in Version: 1.0.9
Severity Score: High
30. Mobile Events Manager
Plugin: Mobile Events Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 20+
Patched in Version: 1.4.4
Severity Score: Low
WordPress Plugin Vulnerabilities: No Known Fix
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.
31. AnyComment
Plugin: AnyComment
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 4,000+
Patched in Version: No known fix
Severity Score: Medium
WordPress Plugin Vulnerabilities: Plugin Closed
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.
32. Tabs
Plugin: Tabs
Vulnerability: Unauthenticated Arbitrary Option Update
Patched in Version: 3.6.0 – plugin closed
Severity Score: Critical
33. Shortcode Addons
Plugin: Shortcode Addons
Vulnerability: Unauthenticated Arbitrary Option Update
Patched in Version: 3.1.0 – plugin closed
Severity Score: Critical
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from the weekly WordPress Vulnerability Report, many new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with Site Scanning
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
