WordPress Vulnerability Report

WordPress Vulnerability Report – December 7, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of low, medium, high, or critical.

Avatar photo
SolidWP Editorial Team

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

No new WordPress core vulnerabilities were disclosed this week.

Get SolidWP tips direct in your inbox

Sign up

This field is for validation purposes and should be left unchanged.
Placeholder text
Placeholder text
Thanks

Oops something went wrong, please try submitting again

Get started with confidence — risk free, guaranteed

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Autoptimize

Plugin Slug:
autoptimize
Installations:
1,000,000+
Vulnerability:
Sensitive Data Disclosure
Patched in Version:
3.1.0
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 3.1.0.

Easy WP SMTP

Plugin Slug:
easy-wp-smtp
Installations:
600,000+
Vulnerability:
Admin+ Arbitrary File Deletion; Admin+ Arbitrary File Access
Patched in Version:
1.5.2
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.5.2.

Custom Product Tabs for WooCommerce

Plugin Slug:
yikes-inc-easy-custom-woocommerce-product-tabs
Installations:
100,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
1.8.0
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.8.0.

Booster for WooCommerce

Plugin Slug:
woocommerce-jetpack
Installations:
70,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
5.6.3
Severity Score:
High
The vulnerability has been patched, so you should update to version 5.6.3.

Stop Spammers Security

Plugin Slug:
stop-spammer-registrations-plugin
Installations:
60,000+
Vulnerability:
Unauthenticated PHP Object Injection
Patched in Version:
2022.6
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2022.6.

Sliderby10Web

Plugin Slug:
slider-wd
Installations:
30,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
1.2.53
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.2.53.

Appointment Hour Booking

Plugin Slug:
appointment-hour-booking
Installations:
30,000+
Vulnerability:
Unauthenticated iFrame Injection; CSV Injection; CAPTCHA Bypass
Patched in Version:
1.3.73
Severity Score:
High
The vulnerability has been patched, so you should update to version 1.3.73.

WP Google Review Slider

Plugin Slug:
wp-google-places-review-slider
Installations:
20,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
11.6
Severity Score:
Low
The vulnerability has been patched, so you should update to version 11.6.

Google Apps Login

Plugin Slug:
google-apps-login
Installations:
20,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
3.4.5
Severity Score:
Low
The vulnerability has been patched, so you should update to version 3.4.5.

Welcart e-Commerce

Plugin Slug:
usc-e-shop
Installations:
20,000+
Vulnerability:
Subscriber+ PHAR Deserialisation; Unauthenticated Arbitrary File Access; Subscriber+ Arbitrary File Access
Patched in Version:
2.8.6
Severity Score:
High
The vulnerability has been patched, so you should update to version 2.8.6.

GD bbPress Attachments

Plugin Slug:
gd-bbpress-attachments
Installations:
10,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
4.4
Severity Score:
Low
The vulnerability has been patched, so you should update to version 4.4.

Simple Basic Contact Form

Plugin Slug:
simple-basic-contact-form
Installations:
10,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
20221201
Severity Score:
Low
The vulnerability has been patched, so you should update to version 20221201.

WP-Ban

Plugin:
WP-Ban
Plugin Slug:
wp-ban
Installations:
10,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
1.69.1
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.69.1.

All-in-One Addons for Elementor – WidgetKit

Plugin Slug:
widgetkit-for-elementor
Installations:
10,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
2.4.4
Severity Score:
Low
The vulnerability has been patched, so you should update to version 2.4.4.

Kwayy HTML Sitemap

Plugin Slug:
kwayy-html-sitemap
Installations:
7,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
4.0
Severity Score:
Low
The vulnerability has been patched, so you should update to version 4.0.

Chained Quiz

Plugin Slug:
chained-quiz
Installations:
2,000+
Vulnerability:
Admin+ Stored XSS; Multiple Reflected Cross-Site Scripting; Arbitrary Question Deletion via CSRF; Reflected Cross-Site Scripting; Submitted Quiz Response Deletion via CSRF; Arbitrary Quiz Deletion & Copying via CSRF
Patched in Version:
1.3.2.5
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.3.2.5.
Plugin Slug:
filter-gallery
Installations:
1,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
0.1.6
Severity Score:
Low
The vulnerability has been patched, so you should update to version 0.1.6.

Simple:Press

Plugin Slug:
simplepress
Installations:
600+
Vulnerability:
Admin+ Arbitrary File Update; Subscriber+ Arbitrary File Deletion; Unauthenticated Stored XSS via Forum Replies; Subscriber+ Stored XSS via Profile Signatures
Patched in Version:
6.8.1
Severity Score:
Low
The vulnerability has been patched, so you should update to version 6.8.1.

ARMember

Plugin Slug:
armember
Vulnerability:
Unauthenticated Privilege Escalation
Patched in Version:
5.6
Severity Score:
Critical
The vulnerability has been patched, so you should update to version 5.6.

WP CSV Exporter

Plugin Slug:
wp-csv-exporter
Vulnerability:
CSV Injection
Patched in Version:
1.3.7
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.3.7.

Booster for WooCommerce

Plugin Slug:
booster-plus-for-woocommerce
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
6.0.0
Severity Score:
High
The vulnerability has been patched, so you should update to version 6.0.0.
Plugin Slug:
contest-gallery-pro
Vulnerability:
Admin+ SQL Injection
Patched in Version:
19.1.5
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 19.1.5.

Booster for WooCommerce

Plugin Slug:
booster-elite-for-woocommerce
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
6.0.0
Severity Score:
High
The vulnerability has been patched, so you should update to version 6.0.0.

YITH WooCommerce Gift Cards Premium

Plugin Slug:
yith-woocommerce-gift-cards-premium
Vulnerability:
Unauthenticated Arbitrary File Upload
Patched in Version:
3.20.0
Severity Score:
Critical
The vulnerability has been patched, so you should update to version 3.20.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Paytium

Plugin Slug:
paytium
Vulnerability:
Admin+ Stored XSS
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

ImageInject

Plugin Slug:
wp-inject
Vulnerability:
Admin+ Stored XSS
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Menu Item Visibility Control

Plugin Slug:
menu-items-visibility-control
Vulnerability:
Admin+ Arbitrary PHP Code Execution
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Bulk Delete Users by Email

Plugin Slug:
bulk-delete-users-by-email
Vulnerability:
User Deletion via CSRF; Reflected Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Eventify

Plugin Slug:
eventify
Vulnerability:
Admin+ Stored XSS
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Supra CSV

Plugin:
Supra CSV
Plugin Slug:
supra-csv-parser
Vulnerability:
Stored Cross-Site Scripting via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

IWS – Geo Form Fields

Plugin Slug:
iws-geo-form-fields
Vulnerability:
Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Advanced Booking Calendar

Plugin Slug:
advanced-booking-calendar
Vulnerability:
CSRF; Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Plugin Logic

Plugin Slug:
plugin-logic
Vulnerability:
Admin+ SQLi
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Workreap

Theme:
Workreap
Theme Slug:
workreap
Vulnerability:
Subscriber+ Arbitrary Posts Deletion via IDOR
Patched in Version:
2.6.4
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2.6.4.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: