Menu
iThemes
WordPress Security, Backups & Maintenance
WordPress News and Updates from iThemes
Categories

WordPress Vulnerability Report – February 9, 2022

Written by on

Last Updated on February 10, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Read the 2021 Annual Report
Download the Infographic

WordPress 5.9: Core Major Version Update Now Available

WordPress 5.9 “Joséphine” was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this: Full Site Editing (FSE) using the WordPress block editor is here (well, if you want to use it or your theme supports it).

WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements and 100 bug fixes.

In this post, we unpack what’s new and noteworthy in WordPress 5.9 so you can get the most out of the latest version of WordPress.

You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.

See what’s new in WordPress 5.9

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

All-in-One WP Migration

Product image for All-in-One WP Migration.
Plugin
All-in-One WP Migration
Installations
4,000,000+
Vulnerability
Admin+ Arbitrary File Upload to RCE
Patched in Version
7.41
Severity Score
Medium
The vulnerability has been patched, so you should update to version 7.41.

Ad Inserter

Product image for Ad Inserter – Ad Manager & AdSense Ads.
Plugin
Ad Inserter – Ad Manager & AdSense Ads
Installations
200,000+
Vulnerability
Admin+ RCE / Stored XSS
Patched in Version
2.7.11
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.7.11.

White Label CMS

Product image for White Label CMS.
Plugin
White Label CMS
Installations
200,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.2.9
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.2.9.

WordPress Download Manager

Product image for Download Manager.
Plugin
Download Manager
Installations
100,000+
Vulnerability
Sensitive Information Disclosure
Patched in Version
3.2.35
Severity Score
High
The vulnerability has been patched, so you should update to version 3.2.35.

Product Feed PRO for WooCommerce

Product image for Product Feed PRO for WooCommerce.
Plugin
Product Feed PRO for WooCommerce
Installations
80,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
11.2.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 11.2.3.

Advanced iFrame

Product image for Advanced iFrame.
Plugin
Advanced iFrame
Installations
70,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2022
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2022.

WordPress Real Cookie Banner

Product image for WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent.
Plugin
WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent
Installations
60,000+
Vulnerability
Settings Reset via CSRF
Patched in Version
2.14.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.14.2.

AdRotate

Product image for AdRotate – Ad manager & AdSense Ads.
Plugin
AdRotate – Ad manager & AdSense Ads
Installations
40,000+
Vulnerability
Admin+ SQL Injection
Patched in Version
5.8.22
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.8.22.

Conversios.io

Product image for Conversios.io – Google Analytics and Google Shopping plugin for WooCommerce.
Plugin
Conversios.io – Google Analytics and Google Shopping plugin for WooCommerce
Installations
40,000+
Vulnerability
Subscriber+ SQL Injection
Patched in Version
4.6.2
Severity Score
High
The vulnerability has been patched, so you should update to version 4.6.2.

NotificationX

Product image for NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor.
Plugin
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor
Installations
30,000+
Vulnerability
Unauthenticated Blind SQL Injection
Patched in Version
2.3.9
Severity Score
High
The vulnerability has been patched, so you should update to version 2.3.9.

Contact Form & Lead Form Elementor Builder Plugin

Product image for Contact Form & Lead Form Elementor Builder.
Plugin
Contact Form & Lead Form Elementor Builder
Installations
20,000+
Vulnerability
Multiple Subscriber+ Settings Update
Patched in Version
1.7.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.7.4.

Easy Pricing Tables

Product image for Pricing Tables WordPress Plugin – Easy Pricing Tables.
Plugin
Pricing Tables WordPress Plugin – Easy Pricing Tables
Installations
20,000+
Vulnerability
Arbitrary Post Removal via CSRF
Patched in Version
3.1.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.1.3.

Page Views Count

Product image for Page View Count.
Plugin
Page View Count
Installations
20,000+
Vulnerability
Unauthenticated SQL Injection
Patched in Version
2.4.15
Severity Score
High
The vulnerability has been patched, so you should update to version 2.4.15.

IP2Location Country Blocker

Product image for IP2Location Country Blocker.
Plugin
IP2Location Country Blocker
Installations
10,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
2.26.9
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.26.9.

RegistrationMagic

Product image for RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin.
Plugin
RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin
Installations
10,000+
Vulnerability
Admin+ SQL Injection
Patched in Version
5.0.2.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.0.2.2.

Catch Themes Demo Import

Product image for Catch Themes Demo Import.
Plugin
Catch Themes Demo Import
Installations
10,000+
Vulnerability
Admin+ Remote Code Execution
Patched in Version
2.1.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.1.

MasterStudy LMS

Product image for MasterStudy LMS – WordPress LMS Plugin.
Plugin
MasterStudy LMS – WordPress LMS Plugin
Installations
10,000+
Vulnerability
Unauthenticated Admin Account Creation
Patched in Version
2.7.6
Severity Score
Critical
The vulnerability has been patched, so you should update to version 2.7.6.

Custom Content Shortcode

Product image for Custom Content Shortcode.
Plugin
Custom Content Shortcode
Installations
10,000+
Vulnerability
Unauthorised Arbitrary Post Metadata Access; Authenticated Arbitrary File Access / LFI; Authenticated Stored Cross-Site Scripting
Patched in Version
4.0.1
Severity Score
High
The vulnerability has been patched, so you should update to version 4.0.1.

EasyJobs

Product image for EasyJobs – Easiest Talent Recruitment Suite – Job Manager & Career Page in Elementor.
Plugin
EasyJobs – Easiest Talent Recruitment Suite – Job Manager & Career Page in Elementor
Installations
5,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.4.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.4.8.

WP Time Slots Booking Form

Product image for WP Time Slots Booking Form.
Plugin
WP Time Slots Booking Form
Installations
1,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.1.63
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.1.63.

CP Blocks

Product image for CP Blocks.
Plugin
CP Blocks
Installations
1,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.0.15
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.0.15.

Premium Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure

Multisite User Sync/Unsync

Plugin
WordPress Multisite User Sync/Unsync
Installations
Unknown; Premium Plugin
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.1.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.2.

Multisite Content Copier/Updater Pro

Plugin
WordPress Multisite Content Copier/Updater
Installations
Unknown; Premium Plugin
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.1.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.0.

WordPress Plugin Vulnerabilities – No Known Fix

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure

Cost Calculator (nd-projects)

Plugin
Cost Calculator (nd-projects)
Vulnerability
Authenticated Local File Inclusion
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

No new theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

Other related posts
Patchstack 2022 WordPress Security Review
The State of WordPress Security: Community and Collaboration Help Us All Win
wordpress-vulnerability-report
WordPress Vulnerability Report – March 8, 2023
denial of service
What is a Denial of Service (DoS)?
WordPress Vulnerability Report
WordPress Vulnerability Report – March 1, 2023

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Copy link
CopyCopied
Powered by Social Snap