Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: January 2022, Part 1

Written by Michael Moore on January 5, 2022

Last Updated on January 5, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the January 5, 2022 Report
  • 2021 WordPress Vulnerability Report Recap: 1,263 Vulnerabilities Disclosed; 98% Plugins
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • 1. UpdraftPlus
    • 2. WebP Converter for Media
    • 3. WOOF – Products Filter for WooCommerce
    • 4. LearnPress
    • 5. WP Post Page Clone
    • 6. WP Extra File Types
    • 7. Tutor LMS
    • 8. Custom Dashboard & Login Page
    • 9. Ultimate FAQ
    • 10. WP User Frontend
    • 11. myCred
    • 12. Image Hover Effects Ultimate
    • 13. Qubely
    • 14. Registration Magic
    • 15. Orders Tracking for WooCommerce
    • 16. Link Library
    • 17. AF Companion
    • 18. KNR Author List Widget 
    • 19. WP Cookie User Info
  • WordPress Plugin Vulnerabilities: Plugin Closed
    • 20. LabTools
    • 21. Domain Check
    • 22. Error Log Viewer
    • 23. WP Visited Countries Reloaded
    • 24. Learning Courses
    • 25. Perfect Survey
  • WordPress Plugin Vulnerabilities: No Known Fix
    • 26. Mediamatic
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Security Monitoring
Want this report delivered to your inbox each week?
Subscribe to the weekly email

2021 WordPress Vulnerability Report Recap: 1,263 Vulnerabilities Disclosed; 98% Plugins

  • In 2021, a total of 1,263 plugin and theme vulnerabilities were disclosed. WordPress plugin vulnerabilities comprised 98% of all vulnerabilities that were reported. 
  • September 2021 saw the most vulnerabilities reported, with a total of 323 vulnerabilties disclosed in that month alone.
  • The most common types of plugin vulnerabilities disclosed in 2021 were cross-site scripting (XSS) and SQL injections. Most plugin authors released patches, while some plugins still remain closed.
  • Due to the increase in vulnerability disclosures, we changed the frequency of the vulnerability report to once a week, rather than twice a month.
  • Thanks to your feedback, we also started listing plugin disclosures in order or active installs. We also started grouping plugins by free and pro, with a separate section for closed plugins and plugins for no known fix.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

1. UpdraftPlus

Plugin: UpdraftPlus
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.16.569
Severity Score: High

The vulnerability is patched, so you should update to version 1.16.59.

Plugin: UpdraftPlus
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.6.59
Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.59.

Plugin: UpdraftPlus
Vulnerability: Admin+ Local File Inclusion
Active Installation: 3+ million
Patched in Version: 1.16.59
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.16.59.

2. WebP Converter for Media

Plugin: WebP Converter for Media
Vulnerability: Unauthenticated Open redirect
Active Installation: 100,000+
Patched in Version: 4.0.3
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.3.

3. WOOF – Products Filter for WooCommerce

Plugin: WOOF – Products Filter for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 1.2.6.3
Severity Score: High

The vulnerability is patched, so you should update to version 1.2.6.3.

4. LearnPress

Plugin: LearnPress
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 4.1.3.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.3.2.

5. WP Post Page Clone

Plugin: WP Post Page Clone
Vulnerability: Unauthorised Post Access
Active Installation: 80,000+
Patched in Version: 1.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.

6. WP Extra File Types

Plugin: WP Extra File Types
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 50,000+
Patched in Version: 0.5.1
Severity Score: High

The vulnerability is patched, so you should update to version 0.5.1.

7. Tutor LMS

Plugin: Tutor LMS
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.9.12
Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.9.12
Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

8. Custom Dashboard & Login Page

Plugin: Custom Dashboard & Login Page
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 7.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.0.

9. Ultimate FAQ

Plugin: Ultimate FAQ
Vulnerability: Subscriber+ Arbitrary FAQ Creation
Active Installation: 30,000+
Patched in Version: 2.1.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.2.

10. WP User Frontend

Plugin: WP User Frontend
Vulnerability: SQL Injection to Reflected Cross-Site Scripting
Active Installation: 30,000+
Patched in Version: 3.5.26
Severity Score: High

The vulnerability is patched, so you should update to version 3.5.26.

11. myCred

Plugin: myCred
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 2.4
Severity Score: High

The vulnerability is patched, so you should update to version 2.4.

12. Image Hover Effects Ultimate

Plugin: Image Hover Effects Ultimate
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 9.7.1
Severity Score: High

The vulnerability is patched, so you should update to version 9.7.1.

13. Qubely

Plugin: Qubely
Vulnerability: Subscriber+ Arbitrary FAQ Creation
Active Installation: 10,000+
Patched in Version: 1.7.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.8.

14. Registration Magic

Plugin: Registration Magic
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 5.0.1.9
Severity Score: High

The vulnerability is patched, so you should update to version 5.0.1.9.

15. Orders Tracking for WooCommerce

Plugin: Orders Tracking for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 1.1.10
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.10.

16. Link Library

Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library
Vulnerability: Library Settings Reset via CSRF
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library
Vulnerability: Unauthenticated Arbitrary Links Deletion
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

17. AF Companion

Plugin: AF Companion
Vulnerability: Arbitrary Plugin Installation & Activation via CSRF
Active Installation: 9,000+
Patched in Version: 1.2.0
Severity Score: High

The vulnerability is patched, so you should update to version 1.2.0.

18. KNR Author List Widget 

Plugin: KNR Author List Widget
Vulnerability: Unauthenticated SQL Injection
Active Installation: 200+
Patched in Version: 3.0.0
Severity Score: Critical

The vulnerability is patched, so you should update to version 3.0.0.

19. WP Cookie User Info

Plugin: WP Cookie User Info
Vulnerability: Admin+ SQL Injection
Active Installation: 200+
Patched in Version: 1.0.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.9.

WordPress Plugin Vulnerabilities: Plugin Closed

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.

20. LabTools

Plugin: LabTools 
Vulnerability: Subscriber+ Arbitrary Publication Deletion
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

21. Domain Check

Plugin: Domain Check
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

22. Error Log Viewer

Plugin: Error Log Viewer
Vulnerability: Arbitrary Text File Deletion via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of November 10, 2021. Uninstall and delete.

23. WP Visited Countries Reloaded

Plugin: WP Visited Countries Reloaded
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.1.1- plugin closed
Severity Score: High

This vulnerability has been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

24. Learning Courses

Plugin: Learning Courses
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.0 – plugin closed
Severity Score: Low

This vulnerability has been patched. This plugin has been closed as of October 8, 2021. Uninstall and delete.

25. Perfect Survey

Plugin: Perfect Survey
Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update
Patched in Version: 1.5.2 – plugin closed
Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey
Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update
Patched in Version: 1.5.2 – plugin closed
Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 1.5.2 – plugin closed
Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.2 – plugin closed
Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

Plugin: Perfect Survey
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High

This vulnerability has been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

WordPress Plugin Vulnerabilities: No Known Fix

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.

26. Mediamatic

Plugin: Mediamatic
Vulnerability: Subscriber+ SQL Injection
Active Installation: 3,000+
Patched in Version: No known fix
Severity Score: High

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Activate File Change Detection

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices
  • reCAPTCHA
  • Brute force protection
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
wordpress vulnerability report - security
WordPress Vulnerability Report – June 29, 2022
WordPress vulnerability report
WordPress Vulnerability Report – June 22, 2022
WordPress vulnerability report
WordPress Vulnerability Report, Special Edition – June 20, 2022: Critical Vulnerability in Ninja Forms
wordpress vulnerability report
WordPress Vulnerability Report – June 15, 2022

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.