WordPress Vulnerability Report: January 2022, Part 1

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Want this report delivered to your inbox each week?

2021 WordPress Vulnerability Report Recap: 1,263 Vulnerabilities Disclosed; 98% Plugins

In 2021, a total of 1,263 plugin and theme vulnerabilities were disclosed. WordPress plugin vulnerabilities comprised 98% of all vulnerabilities that were reported.
September 2021 saw the most vulnerabilities reported, with a total of 323 vulnerabilties disclosed in that month alone.
The most common types of plugin vulnerabilities disclosed in 2021 were cross-site scripting (XSS) and SQL injections. Most plugin authors released patches, while some plugins still remain closed.
Due to the increase in vulnerability disclosures, we changed the frequency of the vulnerability report to once a week, rather than twice a month.
Thanks to your feedback, we also started listing plugin disclosures in order or active installs. We also started grouping plugins by free and pro, with a separate section for closed plugins and plugins for no known fix.

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

1. UpdraftPlus

Plugin: UpdraftPlus
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.16.569
Severity Score: High

The vulnerability is patched, so you should update to version 1.16.59.

Plugin: UpdraftPlus
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.6.59
Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.59.

Plugin: UpdraftPlus
Vulnerability: Admin+ Local File Inclusion
Active Installation: 3+ million
Patched in Version: 1.16.59
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.16.59.

2. WebP Converter for Media

Plugin: WebP Converter for Media
Vulnerability: Unauthenticated Open redirect
Active Installation: 100,000+
Patched in Version: 4.0.3
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.3.

3. WOOF – Products Filter for WooCommerce

Plugin: WOOF – Products Filter for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 1.2.6.3
Severity Score: High

The vulnerability is patched, so you should update to version 1.2.6.3.

4. LearnPress

Plugin: LearnPress
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 4.1.3.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.3.2.

5. WP Post Page Clone

Plugin: WP Post Page Clone
Vulnerability: Unauthorised Post Access
Active Installation: 80,000+
Patched in Version: 1.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.

6. WP Extra File Types

Plugin: WP Extra File Types
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 50,000+
Patched in Version: 0.5.1
Severity Score: High

The vulnerability is patched, so you should update to version 0.5.1.

7. Tutor LMS

Plugin: Tutor LMS
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.9.12
Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.9.12
Severity Score: High

The vulnerability is patched, so you should update to version 1.9.12.

Plugin: Custom Dashboard & Login Page
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 7.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.0.

9. Ultimate FAQ

Plugin: Ultimate FAQ
Vulnerability: Subscriber+ Arbitrary FAQ Creation
Active Installation: 30,000+
Patched in Version: 2.1.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.2.

10. WP User Frontend

Plugin: WP User Frontend
Vulnerability: SQL Injection to Reflected Cross-Site Scripting
Active Installation: 30,000+
Patched in Version: 3.5.26
Severity Score: High

The vulnerability is patched, so you should update to version 3.5.26.

11. myCred

Plugin: myCred
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 2.4
Severity Score: High

The vulnerability is patched, so you should update to version 2.4.

12. Image Hover Effects Ultimate

Plugin: Image Hover Effects Ultimate
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 9.7.1
Severity Score: High

The vulnerability is patched, so you should update to version 9.7.1.

13. Qubely

Plugin: Qubely
Vulnerability: Subscriber+ Arbitrary FAQ Creation
Active Installation: 10,000+
Patched in Version: 1.7.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.8.

14. Registration Magic

Plugin: Registration Magic
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 5.0.1.9
Severity Score: High

The vulnerability is patched, so you should update to version 5.0.1.9.

15. Orders Tracking for WooCommerce

Plugin: Orders Tracking for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 1.1.10
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.10.

16. Link Library

Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library
Vulnerability: Library Settings Reset via CSRF
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

Plugin: Link Library
Vulnerability: Unauthenticated Arbitrary Links Deletion
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 7.2.8.

17. AF Companion

Plugin: AF Companion
Vulnerability: Arbitrary Plugin Installation & Activation via CSRF
Active Installation: 9,000+
Patched in Version: 1.2.0
Severity Score: High

The vulnerability is patched, so you should update to version 1.2.0.

Plugin: KNR Author List Widget
Vulnerability: Unauthenticated SQL Injection
Active Installation: 200+
Patched in Version: 3.0.0
Severity Score: Critical

The vulnerability is patched, so you should update to version 3.0.0.

Plugin: WP Cookie User Info
Vulnerability: Admin+ SQL Injection
Active Installation: 200+
Patched in Version: 1.0.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.9.

WordPress Plugin Vulnerabilities: Plugin Closed

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.

20. LabTools

Plugin: LabTools
Vulnerability: Subscriber+ Arbitrary Publication Deletion
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

21. Domain Check

Plugin: Domain Check
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High

This vulnerability has NOT been patched. This plugin has been closed as of December 28, 2021. Uninstall and delete.

22. Error Log Viewer

Plugin: Error Log Viewer
Vulnerability: Arbitrary Text File Deletion via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of November 10, 2021. Uninstall and delete.

23. WP Visited Countries Reloaded

Plugin: WP Visited Countries Reloaded
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.1.1- plugin closed
Severity Score: High

This vulnerability has been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

24. Learning Courses

Plugin: Learning Courses
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.0 – plugin closed
Severity Score: Low

This vulnerability has been patched. This plugin has been closed as of October 8, 2021. Uninstall and delete.

25. Perfect Survey

Plugin: Perfect Survey
Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update
Patched in Version: 1.5.2 – plugin closed
Severity Score: High