Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – February 23, 2022

Written by Michael Moore on February 23, 2022

Last Updated on February 23, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the February 23, 2022 Report
  • WordPress Disaster Week is coming
    • March 8 – 10, 2022
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • UpdraftPlus Free
    • Essential Addons for Elementor Lite
    • WP Statistics
    • Photo Gallery by 10Web
    • Relevanssi
    • WP Content Copy Protection & No Right Click
    • Cookie Information
    • Profile Builder
    • Contact Form Submissions
    • Zero Spam
    • Master Addons for Elementor
    • Hide Admin Bar Based on User Roles
    • Advanced Product Labels for WooCommerce
    • Powerkit
    • Countdown & Clock
    • WPCargo
    • ARI Fancy Lightbox
    • Event Manager for WooCommerce
    • Patreon WordPress
    • WP Home Page Menu
    • Kunze Law
    • Team Circle Image Slider With Lightbox
    • Login with phone number
    • Sync iCloud COS
    • Flexi – Guest Submit
    • CommonsBooking
    • Multisite Content Copier/Updater
    • Relevanssi – Subscriber+
  • WordPress Plugin Vulnerabilities – No Known Fix
    • Persian Woocommerce
    • Better WordPress Google XML Sitemaps
    • Page Builder KingComposer
    • hub2word
    • Simple Theme Options
    • SEO 301 Meta
    • Simple Quotation
    • GD Mylist
    • WP Voting Contest
    • Petfinder Listings
  • WordPress Theme Vulnerabilities
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Security Monitoring

WordPress Disaster Week is coming

March 8 – 10, 2022

A FREE ONLINE TRAINING EVENT

Are you ready if disaster strikes your WordPress website today? From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. To help you combat the threat of website disasters, we’re hosting the biggest free, online WordPress security training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.
Register now

Can’t make the live training? Go ahead and register and we’ll email you the replays.

WordPress Core Vulnerabilities

WordPress 5.9.1 was released on February 22, 2022 as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

UpdraftPlus Free

Product image for UpdraftPlus WordPress Backup Plugin.
Plugin
UpdraftPlus WordPress Backup Plugin
Installations
3,000,000+
Vulnerability
INCORRECT AUTHORIZATION
Patched in Version
1.22.3
Severity Score
High
The vulnerability has been patched, so you should update to version 1.22.3.

Essential Addons for Elementor Lite

Product image for Essential Addons for Elementor.
Plugin
Essential Addons for Elementor
Installations
1,000,000+
Vulnerability
XSS
Patched in Version
5.0.9
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.0.9.

WP Statistics

Product image for WP Statistics.
Plugin
WP Statistics
Installations
600,000+
Vulnerability
Unauthenticated Blind SQL Injection via IP; Unauthenticated Blind SQL Injection via current_page_id; Unauthenticated Blind SQL Injection via current_page_type; Multiple Unauthenticated Stored Cross-Site Scripting
Patched in Version
13.1.6
Severity Score
Critical
The vulnerability has been patched, so you should update to version 13.1.6.

Photo Gallery by 10Web

Product image for Photo Gallery by 10Web – Mobile-Friendly Image Gallery.
Plugin
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Installations
300,000+
Vulnerability
Unauthenticated SQL Injection
Patched in Version
1.6.0
Severity Score
High
The vulnerability has been patched, so you should update to version 1.6.0.

Relevanssi

Product image for Relevanssi – A Better Search.
Plugin
Relevanssi – A Better Search
Installations
100,000+
Vulnerability
Unauthorised AJAX Calls
Patched in Version
4.14.6
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.14.6.

WP Content Copy Protection & No Right Click

Product image for WP Content Copy Protection & No Right Click.
Plugin
WP Content Copy Protection & No Right Click
Installations
100,000+
Vulnerability
Settings Update via CSRF
Patched in Version
3.4.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.4.5.

Cookie Information

Product image for Cookie Information | Free GDPR Consent Solution.
Plugin
Cookie Information | Free GDPR Consent Solution
Installations
100,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.0.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.0.8.

Profile Builder

Product image for Profile Builder – User Profile & User Registration Forms.
Plugin
Profile Builder – User Profile & User Registration Forms
Installations
60,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
3.6.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.6.2.

Contact Form Submissions

Product image for Contact Form Submissions.
Plugin
Contact Form Submissions
Installations
50,000+
Vulnerability
Unauthenticated Stored XSS
Patched in Version
1.7.3
Severity Score
High
The vulnerability has been patched, so you should update to version 1.7.3.

Zero Spam

Product image for Zero Spam for WordPress.
Plugin
Zero Spam for WordPress
Installations
30,000+
Vulnerability
Admin+ SQL Injection
Patched in Version
5.2.11
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.2.11.

Master Addons for Elementor

Product image for Master Addons for Elementor.
Plugin
Master Addons for Elementor
Installations
30,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.8.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.8.2.

Hide Admin Bar Based on User Roles

Product image for Hide Admin Bar Based on User Roles.
Plugin
Hide Admin Bar Based on User Roles
Installations
20,000+
Vulnerability
Settings Update via CSRF; Subscriber+ Settings Update
Patched in Version
3.1.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.1.0.

Advanced Product Labels for WooCommerce

Product image for Advanced Product Labels for WooCommerce.
Plugin
Advanced Product Labels for WooCommerce
Installations
20,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.2.3.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.2.3.7.

Powerkit

Product image for Powerkit – Supercharge your WordPress Site.
Plugin
Powerkit – Supercharge your WordPress Site
Installations
10,000+
Vulnerability
Post Views Settings Update/Reset via CSRF
Patched in Version
2.5.9
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.5.9.

Countdown & Clock

Plugin
Countdown, Coming Soon, Maintenance – Countdown & Clock
Installations
10,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.2.9
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.2.9.

WPCargo

Product image for WPCargo Track & Trace.
Plugin
WPCargo Track & Trace
Installations
10,000+
Vulnerability
Unauthenticated RCE
Patched in Version
6.9.0
Severity Score
Critical
The vulnerability has been patched, so you should update to version 6.9.0.

ARI Fancy Lightbox

Product image for ARI Fancy Lightbox – WordPress Popup.
Plugin
ARI Fancy Lightbox – WordPress Popup
Installations
10,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.3.9
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.3.9.

Event Manager for WooCommerce

Product image for Event Manager and Tickets Selling Plugin for WooCommerce.
Plugin
Event Manager and Tickets Selling Plugin for WooCommerce
Installations
9,000+
Vulnerability
Contributor+ SQL Injection
Patched in Version
3.5.8
Severity Score
High
The vulnerability has been patched, so you should update to version 3.5.8.

Patreon WordPress

Product image for Patreon WordPress.
Plugin
Patreon WordPress
Installations
5,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.8.2
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.8.2.

WP Home Page Menu

Product image for WP Home Page Menu.
Plugin
WP Home Page Menu
Installations
900+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
3.1
Severity Score
Low
The vulnerability has been patched, so you should update to version 3.1.

Kunze Law

Product image for Kunze Law.
Plugin
Kunze Law
Installations
800+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
2.1
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.1.

Team Circle Image Slider With Lightbox

Product image for Team Circle Image Slider With Lightbox.
Plugin
Team Circle Image Slider With Lightbox
Installations
800+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.0.16
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.0.16.

Login with phone number

Product image for Login with phone number.
Plugin
Login with phone number
Installations
600+
Vulnerability
Unauthenticated Remote Plugin Deletion
Patched in Version
1.3.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.3.7.

Sync iCloud COS

Product image for Sync QCloud COS.
Plugin
Sync QCloud COS
Installations
300+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
2.0.1
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.0.1.

Flexi – Guest Submit

Product image for Flexi – Guest Submit.
Plugin
Flexi – Guest Submit
Installations
200+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
4.20
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.20.

CommonsBooking

Product image for CommonsBooking.
Plugin
CommonsBooking
Installations
100+
Vulnerability
Unauthenticated SQL Injection
Patched in Version
2.6.8
Severity Score
High
The vulnerability has been patched, so you should update to version 2.6.8.

Multisite Content Copier/Updater

Plugin
WordPress Multisite Content Copier/Updater
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.1.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.2.

Relevanssi – Subscriber+

Plugin
Vulnerability
Unauthorised AJAX Calls
Patched in Version
2.16.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.16.5.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Persian Woocommerce

Product image for ??????? ?????.
Plugin
??????? ?????
Installations
80,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Better WordPress Google XML Sitemaps

Plugin
Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News)
Vulnerability
Unauthenticated Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Page Builder KingComposer

Plugin
Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability
Open Redirect
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

hub2word

Plugin
Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results
Vulnerability
Subscriber+ Arbitrary Options Update
Patched in Version
No Fix
Severity Score
Critical
The vulnerability has not been patched. You should deactivate the plugin.

Simple Theme Options

Plugin
Simple Theme Options
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

SEO 301 Meta

Plugin
Seo 301 Meta
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

Simple Quotation

Plugin
Simple Quotation
Vulnerability
Subscriber+ SQL injection; Quote Creation/Edition via CSRF to Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

GD Mylist

Plugin
GDMylist
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

WP Voting Contest

Plugin
WP Voting Contest
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Petfinder Listings

Plugin
Petfinder Listings
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • No new theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Site Scanner checks your site for known vulnerabilities, including plugins, themes, and WordPress core. It also scans Google’s blocklist status and will alert you if Google has found any malware on your website.

3. Activate Automatic Vulnerability Patching

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you … so you don’t have to care about these reports.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices to protect from session hijacking
  • reCAPTCHA
  • Brute force protection
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

Want the Weekly WordPress Vulnerability Report delivered right to your inbox? Subscribe to the weekly email.
Subscribe now

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
A security-riddled computer monitor. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – January 25, 2023
Turnstile and hCaptcha
New Turnstile and hCaptcha Support in Security Pro 7.3
WordPress vulnerability report
WordPress Vulnerability Report – January 18, 2023
clickjacking
What is Clickjacking and How to Prevent it

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Visit StellarWP Visit Nexcess
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.