WordPress Vulnerability Report

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Want this report delivered to your inbox each week?

WordPress Core Vulnerabilities

The latest version of WordPress core was released on January 6, 2022 as a short-cycle security release. Because WordPress 5.8.3 is a security release, we recommend that you update all your sites immediately.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.8.3.

Stay tuned for the release of WordPress 5.9 next week! See what’s new in WordPress 5.9 during a live webinar with iThemes Security lead developer and WordPress Core Committer, Timothy Jacobs. Join us live next Tuesday, January 25, 2022, @ 1:00 p.m. (CT) for the WordPress 5.9 Launch Event hosted by iThemes Training.

Can’t make the live webinar? Go ahead and register and we’ll email you the video replay.
See webinar time in your time zone.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Complianz – GDPR/CCPA Cookie Consent

Plugin: Complianz – GDPR/CCPA Cookie Consent
Installations: 200,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.0.0
Severity Score: Medium

CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Plugin: CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Installations: 100,000+
Vulnerability: Unauthenticated Arbitrary CSS Update
Patched in Version: 4.0.19
Severity Score: High

Download Monitor

Plugin: Download Monitor
Installations: 100,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.4.7
Severity Score: Medium

Remove Footer Credit

Plugin: Remove Footer Credit
Installations: 100,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.0.11
Severity Score: Low

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue

Plugin: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
Installations: 90,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.1.31
Severity Score: Medium

XootiX Plugins

Plugin: Side Cart Woocommerce (Ajax)
Installations: 60,000+
Vulnerability: CSRF to Arbitrary Options Update
Patched in Version: 2.1
Severity Score: High

MapPress Maps for WordPress

Plugin: MapPress Maps for WordPress
Installations: 60,000+
Vulnerability: Reflected Cross-Site scripting
Patched in Version: 2.73.4
Severity Score: Medium

Themify Portfolio Post

Plugin: Themify Portfolio Post
Installations: 60,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.1.7
Severity Score: Medium

Permalink Manager

Plugin: Permalink Manager Lite
Installations: 60,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.2.15
Severity Score: Medium

Quiz And Survey Master

Plugin: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Installations: 40,000+
Vulnerability: CSRF<br>Reflected Cross-Site Scripting<br>Low Privilege Stored Cross-Site Scripting
Patched in Version: 7.3.7
Severity Score: Medium

Futurio Extra

Plugin: Futurio Extra
Installations: 30,000+
Vulnerability: Subscriber+ User Email Address Leakage
Patched in Version: 1.6.3
Severity Score: Medium

PHP Everywhere

Plugin: PHP Everywhere
Installations: 30,000+
Vulnerability: Arbitrary Settings Update via CSRF
Patched in Version: 2.0.3
Severity Score: Medium

PPOM for WooCommerce

Plugin: PPOM for WooCommerce
Installations: 20,000+
Vulnerability: Subscriber+ Settings Update to Stored XSS
Patched in Version: 24.0
Severity Score: Medium

Ad Invalid Click Protector (AICP)

Plugin: Ad Invalid Click Protector (AICP)
Installations: 20,000+
Vulnerability: Authenticated SQL Injection
Patched in Version: 1.2.6
Severity Score: Medium

NewStatPress

Plugin: NewStatPress
Installations: 20,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.6
Severity Score: Medium

XootiX Plugins

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )
Installations: 20,000+
Vulnerability: Various Versions CSRF to Arbitrary Options Update
Patched in Version: 2.3
Severity Score: High

Ibtana

Plugin: Ibtana – WordPress Website Builder
Installations: 10,000+
Vulnerability: Subscriber+ Settings Update to Stored XSS
Patched in Version: 1.1.4.9
Severity Score: Medium

WP Ultimate CSV Importer

Plugin: Easy Drag And drop All Import : WP Ultimate CSV Importer
Installations: 10,000+
Vulnerability: Subscriber+ Arbitrary Option Deletion<br>Subscriber+ Arbitrary File Upload
Patched in Version: 6.4.2
Severity Score: High

PowerPack Lite for Beaver Builder

Plugin: PowerPack Lite for Beaver Builder
Installations: 10,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.2.9.3
Severity Score: Medium

WHMCS Bridge

Plugin: WHMCS Bridge
Installations: 10,000+
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in Version: 6.3
Severity Score: Medium

Magee Shortcodes

Plugin: Magee Shortcodes
Installations: 10,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.9
Severity Score: Medium

WP Import Export

Plugin: WP Import Export Lite
Installations: 10,000+
Vulnerability: Unauthenticated Sensitive Data Disclosure
Patched in Version: 3.9.16
Severity Score: High

Adaptive Images

Plugin: Adaptive Images for WordPress
Installations: 8,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 0.6.69
Severity Score: Medium

WP-Appbox

Plugin: WP-Appbox
Installations: 6,000+
Vulnerability: Authenticated Local File Inclusion
Patched in Version: 4.3.18
Severity Score: Low

RSVP and Event Management

Plugin: RSVP and Event Management Plugin
Installations: 5,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.5
Severity Score: Medium

XootiX Plugins – Various Versions

Plugin: Waitlist Woocommerce ( Back in stock notifier )
Installations: 4,000+
Vulnerability: CSRF to Arbitrary Options Update
Patched in Version: 2.5.1
Severity Score: High

Noptin

Plugin: WordPress Newsletter Plugin – Noptin
Installations: 4,000+
Vulnerability: Open Redirect
Patched in Version: 1.6.5
Severity Score: Medium

Mortgage Calculators WP

Plugin: Mortgage Calculators WP
Installations: 1,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.56
Severity Score: Low

Popup | Custom Popup Builder

Plugin: Popup | Custom Popup Builder
Installations: 1,000+
Vulnerability: Unauthenticated Denial of Service
Patched in Version: 1.3.1
Severity Score: High

Form Store to DB

Plugin: Form Store to DB
Installations: 90+
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 1.1.1
Severity Score: High

Premium Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed for premium plugins. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

Permalink Manager Pro

Plugin: Permalink Manager Pro
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.2.15
Severity Score: Medium

WP Import Export Pro

Plugin
Vulnerability: Unauthenticated Sensitive Data Disclosure
Patched in Version: 3.9.16
Severity Score: High

WordPress Plugin Vulnerabilities – No Known Fix

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure

Random Banner

Plugin: Random Banner
Installations: N/A
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

SpiderCalendar

Plugin: SpiderCalendar
Installations: N/A
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

WordPress Theme Vulnerabilities

No new theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Activate File Change Detection

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Site scanner for plugin and theme vulnerabilities
File change detection
Real-time website security dashboard
WordPress security logs
Trusted devices to protect from session hijacking
reCAPTCHA
Brute force protection
Privilege escalation
Compromised passwords check & refusal

Get iThemes Security Pro

iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

WordPress Vulnerability Report – January 19, 2022

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

Premium Plugin Vulnerabilities

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

1. Install the iThemes Security Pro Plugin

2. Enable the Site Scan to Check for Known Vulnerabilities

3. Activate File Change Detection

Get iThemes Security Pro with 24/7 Website Security Monitoring

Get iThemes Security Pro

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report