Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core Vulnerabilities
The latest version of WordPress core was released on January 6, 2022 as a short-cycle security release. Because WordPress 5.8.3 is a security release, we recommend that you update all your sites immediately.
You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.8.3.
Stay tuned for the release of WordPress 5.9 next week! See what’s new in WordPress 5.9 during a live webinar with iThemes Security lead developer and WordPress Core Committer, Timothy Jacobs. Join us live next Tuesday, January 25, 2022, @ 1:00 p.m. (CT) for the WordPress 5.9 Launch Event hosted by iThemes Training.
Can’t make the live webinar? Go ahead and register and we’ll email you the video replay.
See webinar time in your time zone.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
Complianz – GDPR/CCPA Cookie Consent
- Plugin
- Complianz – GDPR/CCPA Cookie Consent
- Installations
- 200,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 6.0.0
- Severity Score
- Medium
CMP – Coming Soon & Maintenance Plugin by NiteoThemes
- Plugin
- CMP – Coming Soon & Maintenance Plugin by NiteoThemes
- Installations
- 100,000+
- Vulnerability
- Unauthenticated Arbitrary CSS Update
- Patched in Version
- 4.0.19
- Severity Score
- High
Download Monitor
- Plugin
- Download Monitor
- Installations
- 100,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 4.4.7
- Severity Score
- Medium
Remove Footer Credit
- Plugin
- Remove Footer Credit
- Installations
- 100,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 1.0.11
- Severity Score
- Low
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
- Plugin
- Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
- Installations
- 90,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 3.1.31
- Severity Score
- Medium
XootiX Plugins
- Plugin
- Side Cart Woocommerce (Ajax)
- Installations
- 60,000+
- Vulnerability
- CSRF to Arbitrary Options Update
- Patched in Version
- 2.1
- Severity Score
- High
MapPress Maps for WordPress
- Plugin
- MapPress Maps for WordPress
- Installations
- 60,000+
- Vulnerability
- Reflected Cross-Site scripting
- Patched in Version
- 2.73.4
- Severity Score
- Medium
Themify Portfolio Post
- Plugin
- Themify Portfolio Post
- Installations
- 60,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.1.7
- Severity Score
- Medium
Permalink Manager
- Plugin
- Permalink Manager Lite
- Installations
- 60,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.2.15
- Severity Score
- Medium
Quiz And Survey Master
- Plugin
- Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
- Installations
- 40,000+
- Vulnerability
- CSRF<br>Reflected Cross-Site Scripting<br>Low Privilege Stored Cross-Site Scripting
- Patched in Version
- 7.3.7
- Severity Score
- Medium
Futurio Extra
- Plugin
- Futurio Extra
- Installations
- 30,000+
- Vulnerability
- Subscriber+ User Email Address Leakage
- Patched in Version
- 1.6.3
- Severity Score
- Medium
PHP Everywhere
- Plugin
- PHP Everywhere
- Installations
- 30,000+
- Vulnerability
- Arbitrary Settings Update via CSRF
- Patched in Version
- 2.0.3
- Severity Score
- Medium
PPOM for WooCommerce
- Plugin
- PPOM for WooCommerce
- Installations
- 20,000+
- Vulnerability
- Subscriber+ Settings Update to Stored XSS
- Patched in Version
- 24.0
- Severity Score
- Medium
Ad Invalid Click Protector (AICP)
- Plugin
- Ad Invalid Click Protector (AICP)
- Installations
- 20,000+
- Vulnerability
- Authenticated SQL Injection
- Patched in Version
- 1.2.6
- Severity Score
- Medium
NewStatPress
- Plugin
- NewStatPress
- Installations
- 20,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.3.6
- Severity Score
- Medium
XootiX Plugins
- Plugin
- Login/Signup Popup ( Inline Form + Woocommerce )
- Installations
- 20,000+
- Vulnerability
- Various Versions CSRF to Arbitrary Options Update
- Patched in Version
- 2.3
- Severity Score
- High
Ibtana
- Plugin
- Ibtana – WordPress Website Builder
- Installations
- 10,000+
- Vulnerability
- Subscriber+ Settings Update to Stored XSS
- Patched in Version
- 1.1.4.9
- Severity Score
- Medium
WP Ultimate CSV Importer
- Plugin
- Easy Drag And drop All Import : WP Ultimate CSV Importer
- Installations
- 10,000+
- Vulnerability
- Subscriber+ Arbitrary Option Deletion<br>Subscriber+ Arbitrary File Upload
- Patched in Version
- 6.4.2
- Severity Score
- High
PowerPack Lite for Beaver Builder
- Plugin
- PowerPack Lite for Beaver Builder
- Installations
- 10,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.2.9.3
- Severity Score
- Medium
WHMCS Bridge
- Plugin
- WHMCS Bridge
- Installations
- 10,000+
- Vulnerability
- Subscriber+ Stored Cross-Site Scripting
- Patched in Version
- 6.3
- Severity Score
- Medium
Magee Shortcodes
- Plugin
- Magee Shortcodes
- Installations
- 10,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.0.9
- Severity Score
- Medium
WP Import Export
- Plugin
- WP Import Export Lite
- Installations
- 10,000+
- Vulnerability
- Unauthenticated Sensitive Data Disclosure
- Patched in Version
- 3.9.16
- Severity Score
- High
Adaptive Images
- Plugin
- Adaptive Images for WordPress
- Installations
- 8,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 0.6.69
- Severity Score
- Medium
WP-Appbox
- Plugin
- WP-Appbox
- Installations
- 6,000+
- Vulnerability
- Authenticated Local File Inclusion
- Patched in Version
- 4.3.18
- Severity Score
- Low
RSVP and Event Management
- Plugin
- RSVP and Event Management Plugin
- Installations
- 5,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.7.5
- Severity Score
- Medium
XootiX Plugins – Various Versions
- Plugin
- Waitlist Woocommerce ( Back in stock notifier )
- Installations
- 4,000+
- Vulnerability
- CSRF to Arbitrary Options Update
- Patched in Version
- 2.5.1
- Severity Score
- High
Noptin
- Plugin
- WordPress Newsletter Plugin – Noptin
- Installations
- 4,000+
- Vulnerability
- Open Redirect
- Patched in Version
- 1.6.5
- Severity Score
- Medium
Mortgage Calculators WP
- Plugin
- Mortgage Calculators WP
- Installations
- 1,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 1.56
- Severity Score
- Low
Popup | Custom Popup Builder
- Plugin
- Popup | Custom Popup Builder
- Installations
- 1,000+
- Vulnerability
- Unauthenticated Denial of Service
- Patched in Version
- 1.3.1
- Severity Score
- High
Form Store to DB
- Plugin
- Form Store to DB
- Installations
- 90+
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- 1.1.1
- Severity Score
- High
Premium Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed for premium plugins. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
Permalink Manager Pro
- Plugin
- Permalink Manager Pro
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.2.15
- Severity Score
- Medium
WP Import Export Pro
- Plugin
- Vulnerability
- Unauthenticated Sensitive Data Disclosure
- Patched in Version
- 3.9.16
- Severity Score
- High
WordPress Plugin Vulnerabilities – No Known Fix
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure
Random Banner
- Plugin
- Random Banner
- Installations
- N/A
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
SpiderCalendar
- Plugin
- SpiderCalendar
- Installations
- N/A
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Theme Vulnerabilities
No new theme vulnerabilities were disclosed this week.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
