Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
2021 WordPress Vulnerability Report Recap: 1,263 Vulnerabilities Disclosed; 98% Plugins
- In 2021, a total of 1,263 plugin and theme vulnerabilities were disclosed. WordPress plugin vulnerabilities comprised 98% of all vulnerabilities that were reported.
- September 2021 saw the most vulnerabilities reported, with a total of 323 vulnerabilties disclosed in that month alone.
- The most common types of plugin vulnerabilities disclosed in 2021 were cross-site scripting (XSS) and SQL injections. Most plugin authors released patches, while some plugins still remain closed.
- Due to the increase in vulnerability disclosures, we changed the frequency of the vulnerability report to once a week, rather than twice a month.
- Thanks to your feedback, we also started listing plugin disclosures in order or active installs. We also started grouping plugins by free and pro, with a separate section for closed plugins and plugins for no known fix.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
1. UpdraftPlus
Plugin: UpdraftPlus
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.16.569
Severity Score: High
Plugin: UpdraftPlus
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.6.59
Severity Score: Low
Plugin: UpdraftPlus
Vulnerability: Admin+ Local File Inclusion
Active Installation: 3+ million
Patched in Version: 1.16.59
Severity Score: Medium
2. WebP Converter for Media
Plugin: WebP Converter for Media
Vulnerability: Unauthenticated Open redirect
Active Installation: 100,000+
Patched in Version: 4.0.3
Severity Score: Medium
3. WOOF – Products Filter for WooCommerce
Plugin: WOOF – Products Filter for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 1.2.6.3
Severity Score: High
4. LearnPress
Plugin: LearnPress
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 4.1.3.2
Severity Score: Medium
5. WP Post Page Clone
Plugin: WP Post Page Clone
Vulnerability: Unauthorised Post Access
Active Installation: 80,000+
Patched in Version: 1.2
Severity Score: Medium
6. WP Extra File Types
Plugin: WP Extra File Types
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 50,000+
Patched in Version: 0.5.1
Severity Score: High
7. Tutor LMS
Plugin: Tutor LMS
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.9.12
Severity Score: High
Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.9.12
Severity Score: High
8. Custom Dashboard & Login Page
Plugin: Custom Dashboard & Login Page
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 7.0
Severity Score: Medium
9. Ultimate FAQ
Plugin: Ultimate FAQ
Vulnerability: Subscriber+ Arbitrary FAQ Creation
Active Installation: 30,000+
Patched in Version: 2.1.2
Severity Score: Medium
10. WP User Frontend
Plugin: WP User Frontend
Vulnerability: SQL Injection to Reflected Cross-Site Scripting
Active Installation: 30,000+
Patched in Version: 3.5.26
Severity Score: High
11. myCred
Plugin: myCred
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 2.4
Severity Score: High
12. Image Hover Effects Ultimate
Plugin: Image Hover Effects Ultimate
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 20,000+
Patched in Version: 9.7.1
Severity Score: High
13. Qubely
Plugin: Qubely
Vulnerability: Subscriber+ Arbitrary FAQ Creation
Active Installation: 10,000+
Patched in Version: 1.7.8
Severity Score: Medium
14. Registration Magic
Plugin: Registration Magic
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 5.0.1.9
Severity Score: High
15. Orders Tracking for WooCommerce
Plugin: Orders Tracking for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 1.1.10
Severity Score: High
16. Link Library
Plugin: Link Library
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium
Plugin: Link Library
Vulnerability: Library Settings Reset via CSRF
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium
Plugin: Link Library
Vulnerability: Unauthenticated Arbitrary Links Deletion
Active Installation: 10,000+
Patched in Version: 7.2.8
Severity Score: Medium
17. AF Companion
Plugin: AF Companion
Vulnerability: Arbitrary Plugin Installation & Activation via CSRF
Active Installation: 9,000+
Patched in Version: 1.2.0
Severity Score: High
18. KNR Author List Widget
Plugin: KNR Author List Widget
Vulnerability: Unauthenticated SQL Injection
Active Installation: 200+
Patched in Version: 3.0.0
Severity Score: Critical
19. WP Cookie User Info
Plugin: WP Cookie User Info
Vulnerability: Admin+ SQL Injection
Active Installation: 200+
Patched in Version: 1.0.9
Severity Score: Medium
WordPress Plugin Vulnerabilities: Plugin Closed
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.
20. LabTools
Plugin: LabTools
Vulnerability: Subscriber+ Arbitrary Publication Deletion
Patched in Version: No known fix – plugin closed
Severity Score: Medium
21. Domain Check
Plugin: Domain Check
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
22. Error Log Viewer
Plugin: Error Log Viewer
Vulnerability: Arbitrary Text File Deletion via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Low
23. WP Visited Countries Reloaded
Plugin: WP Visited Countries Reloaded
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.1.1- plugin closed
Severity Score: High
24. Learning Courses
Plugin: Learning Courses
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.0 – plugin closed
Severity Score: Low
25. Perfect Survey
Plugin: Perfect Survey
Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update
Patched in Version: 1.5.2 – plugin closed
Severity Score: High
Plugin: Perfect Survey
Vulnerability: Unauthorised AJAX Call to Stored XSS / Survey Settings Update
Patched in Version: 1.5.2 – plugin closed
Severity Score: High
Plugin: Perfect Survey
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 1.5.2 – plugin closed
Severity Score: High
Plugin: Perfect Survey
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.2 – plugin closed
Severity Score: High
Plugin: Perfect Survey
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
WordPress Plugin Vulnerabilities: No Known Fix
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.
26. Mediamatic
Plugin: Mediamatic
Vulnerability: Subscriber+ SQL Injection
Active Installation: 3,000+
Patched in Version: No known fix
Severity Score: High
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
