WordPress Vulnerability Report – December 28, 2022
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of low, medium, high, or critical.
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.
Get SolidWP tips direct in your inbox
Sign up
Get started with confidence — risk free, guaranteed
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
MonsterInsights
- Plugin Slug:
- google-analytics-for-wordpress
- Installations:
- 3,000,000+
- Vulnerability:
- Stored Cross-Site Scripting via Google Analytics
- Patched in Version:
- 8.9.1
- Severity Score:
- Medium
- CVE:
- 2022-3904
Click to Chat
- Plugin:
- Click to Chat
- Plugin Slug:
- click-to-chat-for-whatsapp
- Installations:
- 400,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.18.1
- Severity Score:
- High
- CVE:
- 2022-4480
Font Awesome
- Plugin:
- Font Awesome
- Plugin Slug:
- font-awesome
- Installations:
- 300,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 4.3.2
- Severity Score:
- High
- CVE:
- 2022-4478
ProfilePress
- Plugin Slug:
- wp-user-avatar
- Installations:
- 300,000+
- Vulnerability:
- Admin+ Stored Cross-Site Scripting via Form Settings; Admin+ Stored Cross-Site Scripting
- Patched in Version:
- 4.5.1
- Severity Score:
- Low
- CVE:
- 2022-4698
Table of Contents Plus
- Plugin:
- Table of Contents Plus
- Plugin Slug:
- table-of-contents-plus
- Installations:
- 300,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2212
- Severity Score:
- High
- CVE:
- 2022-4479
Anti-Malware Security and Brute-Force Firewall
- Plugin Slug:
- gotmls
- Installations:
- 200,000+
- Vulnerability:
- Admin+ PHP Object Injection
- Patched in Version:
- 4.21.86
- Severity Score:
- Low
- CVE:
- 2022-4327
Page Scroll To ID
- Plugin:
- Page scroll to id
- Plugin Slug:
- page-scroll-to-id
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.7.6
- Severity Score:
- High
- CVE:
- 2022-4449
Real Cookie Banner
- Plugin Slug:
- real-cookie-banner
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.4.10
- Severity Score:
- High
- CVE:
- 2022-4507
Mesmerize Companion
- Plugin:
- Mesmerize Companion
- Plugin Slug:
- mesmerize-companion
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.6.135
- Severity Score:
- High
- CVE:
- 2022-4481
Slimstat Analytics
- Plugin:
- Slimstat Analytics
- Plugin Slug:
- wp-slimstat
- Installations:
- 100,000+
- Vulnerability:
- Unauthenticated Stored XSS
- Patched in Version:
- 4.9.3
- Severity Score:
- High
- CVE:
- 2022-4310
Smash Balloon Social Post Feed
- Plugin Slug:
- custom-facebook-feed
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 4.1.6
- Severity Score:
- High
- CVE:
- 2022-4477
WPtouch
Download Manager
- Plugin:
- Download Manager
- Plugin Slug:
- download-manager
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.2.62
- Severity Score:
- High
- CVE:
- 2022-4476
WOOCS
- Plugin Slug:
- woocommerce-currency-switcher
- Installations:
- 70,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.3.9.4
- Severity Score:
- High
- CVE:
- 2022-4431
3D FlipBook
- Plugin Slug:
- interactive-3d-flipbook-powered-physics-engine
- Installations:
- 70,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.13.3
- Severity Score:
- High
- CVE:
- 2022-4453
Carousel, Slider, Gallery by WP Carousel
- Plugin Slug:
- wp-carousel-free
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.5.3
- Severity Score:
- High
- CVE:
- 2022-4482
WP Video Lightbox
- Plugin:
- WP Video Lightbox
- Plugin Slug:
- wp-video-lightbox
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.9.7
- Severity Score:
- High
- CVE:
- 2022-4465
Simple Membership
- Plugin:
- Simple Membership
- Plugin Slug:
- simple-membership
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 4.2.2
- Severity Score:
- High
- CVE:
- 2022-4469
WP Recipe Maker
- Plugin:
- WP Recipe Maker
- Plugin Slug:
- wp-recipe-maker
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 8.6.1
- Severity Score:
- High
- CVE:
- 2022-4468
Themify Portfolio Post
- Plugin:
- Themify Portfolio Post
- Plugin Slug:
- themify-portfolio-post
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.2.1
- Severity Score:
- High
- CVE:
- 2022-4464
Metricool
ConvertKit
- Plugin Slug:
- convertkit
- Installations:
- 40,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.0.5
- Severity Score:
- High
- CVE:
- 2022-4508
Super Socializer
- Plugin Slug:
- super-socializer
- Installations:
- 40,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 7.13.44
- Severity Score:
- High
- CVE:
- 2022-4484
Real Testimonials
- Plugin:
- Real Testimonials
- Plugin Slug:
- testimonial-free
- Installations:
- 40,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.6.0
- Severity Score:
- High
- CVE:
- 2022-4648
Easy Accordion
- Plugin Slug:
- easy-accordion-free
- Installations:
- 40,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.2.0
- Severity Score:
- High
- CVE:
- 2022-4487
MashShare
- Plugin Slug:
- mashsharer
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.8.7
- Severity Score:
- High
- CVE:
- 2022-4544
Seriously Simple Podcasting
- Plugin:
- Seriously Simple Podcasting
- Plugin Slug:
- seriously-simple-podcasting
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.19.1
- Severity Score:
- High
- CVE:
- 2022-4571
Jetpack CRM
- Plugin Slug:
- zero-bs-crm
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 5.5
- Severity Score:
- High
- CVE:
- 2022-4497
Subscribe2
- Plugin Slug:
- subscribe2
- Installations:
- 30,000+
- Vulnerability:
- User Deletion via CSRF
- Patched in Version:
- 10.38
- Severity Score:
- High
- CVE:
- 2022-4309
WCK
- Plugin Slug:
- wck-custom-fields-and-custom-post-types-creator
- Installations:
- 20,000+
- Vulnerability:
- Admin+ Stored XSS
- Patched in Version:
- 2.3.3
- Severity Score:
- Low
- CVE:
- 2022-4442
Welcart e-Commerce
- Plugin:
- Welcart e-Commerce
- Plugin Slug:
- usc-e-shop
- Installations:
- 20,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- 2.8.9
- Severity Score:
- High
- CVE:
- 2022-4655
Link Library
- Plugin:
- Link Library
- Plugin Slug:
- link-library
- Installations:
- 10,000+
- Vulnerability:
- Admin+ Stored XSS
- Patched in Version:
- 7.4.1
- Severity Score:
- Low
- CVE:
- 2022-4199
Greenshift – animation and page builder blocks
- Plugin Slug:
- greenshift-animation-and-page-builder-blocks
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- 4.8.9
- Severity Score:
- High
- CVE:
- 2022-4653
Tickera
- Plugin Slug:
- tickera-event-ticketing-system
- Installations:
- 5,000+
- Vulnerability:
- Plugin Data Deletion via CSRF
- Patched in Version:
- 3.5.1.0
- Severity Score:
- Low
- CVE:
- 2022-4549
WP Spell Check
- Plugin:
- WP Spell Check
- Plugin Slug:
- wp-spell-check
- Installations:
- 3,000+
- Vulnerability:
- Ignored Word Deletion via CSRF; Admin+ Stored Cross-Site Scripting
- Patched in Version:
- 9.13
- Severity Score:
- Medium
Show All Comments
- Plugin:
- Show All Comments
- Plugin Slug:
- show-all-comments-in-one-page
- Installations:
- 900+
- Vulnerability:
- Reflected XSS
- Patched in Version:
- 7.0.1
- Severity Score:
- High
- CVE:
- 2022-4295
WordPress Events Calendar Plugin
- Plugin Slug:
- connect-daily-web-calendar
- Installations:
- 200+
- Vulnerability:
- Multiple Reflected XSS
- Patched in Version:
- 1.4.5
- Severity Score:
- High
- CVE:
- 2022-4320
Mautic Integration For WooCommerce
- Plugin Slug:
- mautic-integration-for-woocommerce
- Vulnerability:
- Arbitrary Options Update via CSRF
- Patched in Version:
- 1.0.3
- Severity Score:
- High
- CVE:
- 2022-4426
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Conditional Payment Methods for WooCommerce
- Plugin Slug:
- conditional-payment-methods-for-woocommerce
- Vulnerability:
- Admin+ SQLi
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4547
WP Attachments
- Plugin:
- WP Attachments
- Plugin Slug:
- wp-attachments
- Vulnerability:
- Admin+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Low
- CVE:
- 2022-4330
Easy Bootstrap Shortcode
- Plugin:
- Easy Bootstrap Shortcode
- Plugin Slug:
- easy-bootstrap-shortcodes
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2022-4576
Images Optimize and Upload CF7
- Plugin Slug:
- images-optimize-and-upload-cf7
- Vulnerability:
- Unauthenticated Arbitrary File Deletion
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
- 2022-4101
Fontsy
User Post Gallery
- Plugin:
- User Post Gallery – UPG
- Plugin Slug:
- wp-upg
- Vulnerability:
- Unauthenticated RCE
- Patched in Version:
- No Fix
- Severity Score:
- Critical
- CVE:
- 2022-4060
RSSImport
Sidebar Widgets by CodeLights
- Plugin Slug:
- codelights-shortcodes-and-widgets
- Vulnerability:
- Contributor+ Stored XSS; Admin+ Stored Cross Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2022-4460
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed