WordPress Vulnerability Report – January 19, 2022
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of Low, Medium, High, or Critical.
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
Get SolidWP tips direct in your inbox
Sign up
Get started with confidence — risk free, guaranteed
WordPress Core Vulnerabilities
The latest version of WordPress core was released on January 6, 2022 as a short-cycle security release. Because WordPress 5.8.3 is a security release, we recommend that you update all your sites immediately.
You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.8.3.
Stay tuned for the release of WordPress 5.9 next week! See what’s new in WordPress 5.9 during a live webinar with iThemes Security lead developer and WordPress Core Committer, Timothy Jacobs. Join us live next Tuesday, January 25, 2022, @ 1:00 p.m. (CT) for the WordPress 5.9 Launch Event hosted by iThemes Training.
Can’t make the live webinar? Go ahead and register and we’ll email you the video replay.
See webinar time in your time zone.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
Complianz – GDPR/CCPA Cookie Consent
- Plugin:
- Complianz – GDPR/CCPA Cookie Consent
- Installations:
- 200,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 6.0.0
- Severity Score:
- Medium
CMP – Coming Soon & Maintenance Plugin by NiteoThemes
- Plugin:
- CMP – Coming Soon & Maintenance Plugin by NiteoThemes
- Installations:
- 100,000+
- Vulnerability:
- Unauthenticated Arbitrary CSS Update
- Patched in Version:
- 4.0.19
- Severity Score:
- High
Download Monitor
- Plugin:
- Download Monitor
- Installations:
- 100,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 4.4.7
- Severity Score:
- Medium
Remove Footer Credit
- Plugin:
- Remove Footer Credit
- Installations:
- 100,000+
- Vulnerability:
- Admin+ Stored Cross-Site Scripting
- Patched in Version:
- 1.0.11
- Severity Score:
- Low
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
- Plugin:
- Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
- Installations:
- 90,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 3.1.31
- Severity Score:
- Medium
XootiX Plugins
- Plugin:
- Side Cart Woocommerce (Ajax)
- Installations:
- 60,000+
- Vulnerability:
- CSRF to Arbitrary Options Update
- Patched in Version:
- 2.1
- Severity Score:
- High
MapPress Maps for WordPress
- Plugin:
- MapPress Maps for WordPress
- Installations:
- 60,000+
- Vulnerability:
- Reflected Cross-Site scripting
- Patched in Version:
- 2.73.4
- Severity Score:
- Medium
Themify Portfolio Post
- Plugin:
- Themify Portfolio Post
- Installations:
- 60,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 1.1.7
- Severity Score:
- Medium
Permalink Manager
- Plugin:
- Permalink Manager Lite
- Installations:
- 60,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 2.2.15
- Severity Score:
- Medium
Quiz And Survey Master
- Plugin:
- Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
- Installations:
- 40,000+
- Vulnerability:
- CSRF<br>Reflected Cross-Site Scripting<br>Low Privilege Stored Cross-Site Scripting
- Patched in Version:
- 7.3.7
- Severity Score:
- Medium
Futurio Extra
- Plugin:
- Futurio Extra
- Installations:
- 30,000+
- Vulnerability:
- Subscriber+ User Email Address Leakage
- Patched in Version:
- 1.6.3
- Severity Score:
- Medium
PHP Everywhere
- Plugin:
- PHP Everywhere
- Installations:
- 30,000+
- Vulnerability:
- Arbitrary Settings Update via CSRF
- Patched in Version:
- 2.0.3
- Severity Score:
- Medium
PPOM for WooCommerce
- Plugin:
- PPOM for WooCommerce
- Installations:
- 20,000+
- Vulnerability:
- Subscriber+ Settings Update to Stored XSS
- Patched in Version:
- 24.0
- Severity Score:
- Medium
Ad Invalid Click Protector (AICP)
- Plugin:
- Ad Invalid Click Protector (AICP)
- Installations:
- 20,000+
- Vulnerability:
- Authenticated SQL Injection
- Patched in Version:
- 1.2.6
- Severity Score:
- Medium
NewStatPress
- Plugin:
- NewStatPress
- Installations:
- 20,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 1.3.6
- Severity Score:
- Medium
XootiX Plugins
- Plugin:
- Login/Signup Popup ( Inline Form + Woocommerce )
- Installations:
- 20,000+
- Vulnerability:
- Various Versions CSRF to Arbitrary Options Update
- Patched in Version:
- 2.3
- Severity Score:
- High
Ibtana
- Plugin:
- Ibtana – WordPress Website Builder
- Installations:
- 10,000+
- Vulnerability:
- Subscriber+ Settings Update to Stored XSS
- Patched in Version:
- 1.1.4.9
- Severity Score:
- Medium
WP Ultimate CSV Importer
- Plugin:
- Easy Drag And drop All Import : WP Ultimate CSV Importer
- Installations:
- 10,000+
- Vulnerability:
- Subscriber+ Arbitrary Option Deletion<br>Subscriber+ Arbitrary File Upload
- Patched in Version:
- 6.4.2
- Severity Score:
- High
PowerPack Lite for Beaver Builder
- Plugin:
- PowerPack Lite for Beaver Builder
- Installations:
- 10,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 1.2.9.3
- Severity Score:
- Medium
WHMCS Bridge
- Plugin:
- WHMCS Bridge
- Installations:
- 10,000+
- Vulnerability:
- Subscriber+ Stored Cross-Site Scripting
- Patched in Version:
- 6.3
- Severity Score:
- Medium
Magee Shortcodes
- Plugin:
- Magee Shortcodes
- Installations:
- 10,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 2.0.9
- Severity Score:
- Medium
WP Import Export
- Plugin:
- WP Import Export Lite
- Installations:
- 10,000+
- Vulnerability:
- Unauthenticated Sensitive Data Disclosure
- Patched in Version:
- 3.9.16
- Severity Score:
- High
Adaptive Images
- Plugin:
- Adaptive Images for WordPress
- Installations:
- 8,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 0.6.69
- Severity Score:
- Medium
WP-Appbox
- Plugin:
- WP-Appbox
- Installations:
- 6,000+
- Vulnerability:
- Authenticated Local File Inclusion
- Patched in Version:
- 4.3.18
- Severity Score:
- Low
RSVP and Event Management
- Plugin:
- RSVP and Event Management Plugin
- Installations:
- 5,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 2.7.5
- Severity Score:
- Medium
XootiX Plugins – Various Versions
- Plugin:
- Waitlist Woocommerce ( Back in stock notifier )
- Installations:
- 4,000+
- Vulnerability:
- CSRF to Arbitrary Options Update
- Patched in Version:
- 2.5.1
- Severity Score:
- High
Noptin
- Plugin:
- WordPress Newsletter Plugin – Noptin
- Installations:
- 4,000+
- Vulnerability:
- Open Redirect
- Patched in Version:
- 1.6.5
- Severity Score:
- Medium
Mortgage Calculators WP
- Plugin:
- Mortgage Calculators WP
- Installations:
- 1,000+
- Vulnerability:
- Admin+ Stored Cross-Site Scripting
- Patched in Version:
- 1.56
- Severity Score:
- Low
Popup | Custom Popup Builder
- Plugin:
- Popup | Custom Popup Builder
- Installations:
- 1,000+
- Vulnerability:
- Unauthenticated Denial of Service
- Patched in Version:
- 1.3.1
- Severity Score:
- High
Form Store to DB
- Plugin:
- Form Store to DB
- Installations:
- 90+
- Vulnerability:
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version:
- 1.1.1
- Severity Score:
- High
Premium Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed for premium plugins. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
Permalink Manager Pro
- Plugin:
- Permalink Manager Pro
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 2.2.15
- Severity Score:
- Medium
WP Import Export Pro
- Vulnerability:
- Unauthenticated Sensitive Data Disclosure
- Patched in Version:
- 3.9.16
- Severity Score:
- High
WordPress Plugin Vulnerabilities – No Known Fix
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure
Random Banner
- Plugin:
- Random Banner
- Installations:
- N/A
- Vulnerability:
- Admin+ Stored Cross-Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- Low
SpiderCalendar
- Plugin:
- SpiderCalendar
- Installations:
- N/A
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- Medium
WordPress Theme Vulnerabilities
No new theme vulnerabilities were disclosed this week.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
