WordPress Vulnerability Report

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress Disaster Week is coming

March 8 – 10, 2022

A FREE ONLINE TRAINING EVENT

Are you ready if disaster strikes your WordPress website today? From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. To help you combat the threat of website disasters, we’re hosting the biggest free, online WordPress security training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.

Can’t make the live training? Go ahead and register and we’ll email you the replays.

WordPress Core Vulnerabilities

WordPress 5.9.1 was released on February 22, 2022 as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

UpdraftPlus Free

Plugin: UpdraftPlus WordPress Backup Plugin
Installations: 3,000,000+
Vulnerability: INCORRECT AUTHORIZATION
Patched in Version: 1.22.3
Severity Score: High

Essential Addons for Elementor Lite

Plugin: Essential Addons for Elementor
Installations: 1,000,000+
Vulnerability: XSS
Patched in Version: 5.0.9
Severity Score: Medium

WP Statistics

Plugin: WP Statistics
Installations: 600,000+
Vulnerability: Unauthenticated Blind SQL Injection via IP; Unauthenticated Blind SQL Injection via current_page_id; Unauthenticated Blind SQL Injection via current_page_type; Multiple Unauthenticated Stored Cross-Site Scripting
Patched in Version: 13.1.6
Severity Score: Critical

Photo Gallery by 10Web

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Installations: 300,000+
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 1.6.0
Severity Score: High

Relevanssi

Plugin: Relevanssi – A Better Search
Installations: 100,000+
Vulnerability: Unauthorised AJAX Calls
Patched in Version: 4.14.6
Severity Score: Medium

WP Content Copy Protection & No Right Click

Plugin: WP Content Copy Protection & No Right Click
Installations: 100,000+
Vulnerability: Settings Update via CSRF
Patched in Version: 3.4.5
Severity Score: Medium

Cookie Information

Plugin: Cookie Information | Free GDPR Consent Solution
Installations: 100,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.8
Severity Score: Medium

Profile Builder

Plugin: Profile Builder – User Profile & User Registration Forms
Installations: 60,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.6.2
Severity Score: Medium

Contact Form Submissions

Plugin: Contact Form Submissions
Installations: 50,000+
Vulnerability: Unauthenticated Stored XSS
Patched in Version: 1.7.3
Severity Score: High

Zero Spam

Plugin: Zero Spam for WordPress
Installations: 30,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 5.2.11
Severity Score: Medium

Master Addons for Elementor

Plugin: Master Addons for Elementor
Installations: 30,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.8.2
Severity Score: Medium

Hide Admin Bar Based on User Roles

Plugin: Hide Admin Bar Based on User Roles
Installations: 20,000+
Vulnerability: Settings Update via CSRF; Subscriber+ Settings Update
Patched in Version: 3.1.0
Severity Score: Medium

Advanced Product Labels for WooCommerce

Plugin: Advanced Product Labels for WooCommerce
Installations: 20,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.2.3.7
Severity Score: Medium

Powerkit

Plugin: Powerkit – Supercharge your WordPress Site
Installations: 10,000+
Vulnerability: Post Views Settings Update/Reset via CSRF
Patched in Version: 2.5.9
Severity Score: Medium

Countdown & Clock

Plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock
Installations: 10,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.2.9
Severity Score: Medium

WPCargo

Plugin: WPCargo Track & Trace
Installations: 10,000+
Vulnerability: Unauthenticated RCE
Patched in Version: 6.9.0
Severity Score: Critical

ARI Fancy Lightbox

Plugin: ARI Fancy Lightbox – WordPress Popup
Installations: 10,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.9
Severity Score: Medium

Event Manager for WooCommerce

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce
Installations: 9,000+
Vulnerability: Contributor+ SQL Injection
Patched in Version: 3.5.8
Severity Score: High

Patreon WordPress

Plugin: Patreon WordPress
Installations: 5,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.8.2
Severity Score: Low

WP Home Page Menu

Plugin: WP Home Page Menu
Installations: 900+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.1
Severity Score: Low

Kunze Law

Plugin: Kunze Law
Installations: 800+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.1
Severity Score: Low

Team Circle Image Slider With Lightbox

Plugin: Team Circle Image Slider With Lightbox
Installations: 800+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.16
Severity Score: Medium

Login with phone number

Plugin: Login with phone number
Installations: 600+
Vulnerability: Unauthenticated Remote Plugin Deletion
Patched in Version: 1.3.7
Severity Score: Medium

Sync iCloud COS

Plugin: Sync QCloud COS
Installations: 300+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.0.1
Severity Score: Low

Flexi – Guest Submit

Plugin: Flexi – Guest Submit
Installations: 200+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.20
Severity Score: Medium

CommonsBooking

Plugin: CommonsBooking
Installations: 100+
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 2.6.8
Severity Score: High

Multisite Content Copier/Updater

Plugin: WordPress Multisite Content Copier/Updater
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.1.2
Severity Score: Medium

Relevanssi – Subscriber+

Plugin
Vulnerability: Unauthorised AJAX Calls
Patched in Version: 2.16.5
Severity Score: Medium

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Persian Woocommerce

Plugin: ??????? ?????
Installations: 80,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Better WordPress Google XML Sitemaps

Plugin: Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News)
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: High

Page Builder KingComposer

Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Vulnerability: Open Redirect
Patched in Version: No Fix
Severity Score: Medium

hub2word

Plugin: Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results
Vulnerability: Subscriber+ Arbitrary Options Update
Patched in Version: No Fix
Severity Score: Critical

Simple Theme Options

Plugin: Simple Theme Options
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

SEO 301 Meta

Plugin: Seo 301 Meta
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Simple Quotation

Plugin: Simple Quotation
Vulnerability: Subscriber+ SQL injection; Quote Creation/Edition via CSRF to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: High

GD Mylist

Plugin: GDMylist
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

WP Voting Contest

Plugin: WP Voting Contest
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Petfinder Listings

Plugin: Petfinder Listings
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

No new theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Site Scanner checks your site for known vulnerabilities, including plugins, themes, and WordPress core. It also scans Google’s blocklist status and will alert you if Google has found any malware on your website.

3. Activate Automatic Vulnerability Patching

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you … so you don’t have to care about these reports.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Site scanner for plugin and theme vulnerabilities
File change detection
Real-time website security dashboard
WordPress security logs
Trusted devices to protect from session hijacking
reCAPTCHA
Brute force protection
Privilege escalation
Compromised passwords check & refusal

Get iThemes Security Pro

Want the Weekly WordPress Vulnerability Report delivered right to your inbox? Subscribe to the weekly email.

WordPress Vulnerability Report – February 23, 2022

WordPress Disaster Week is coming

March 8 – 10, 2022

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

1. Install the iThemes Security Pro Plugin

2. Enable the Site Scan to Check for Known Vulnerabilities

3. Activate Automatic Vulnerability Patching

Get iThemes Security Pro with 24/7 Website Security Monitoring

Get iThemes Security Pro

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report