Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Solid Foundations
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: January 2022, Part 2

Written by iThemes Editorial Team on January 12, 2022

Last Updated on January 12, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.

Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the January 12, 2022 Report
  • WordPress Core Vulnerabilities
    • WordPress Core
  • WordPress Plugin Vulnerabilities
    • 1. SVG Support
    • 2. Asset CleanUp
    • 3. Paid Memberships Pro
    • 4. NextScripts: Social Networks Auto-Poster 
    • 5. Ivory Search
    • 6. Easy Social Feed
    • 7. Visual CSS Style Editor
    • 8. Contact Form Entries
    • 9. Advanced Cron Manager
    • 10. WPLegalPages
    • 11. WP Visitor Statistics (Real Time Traffic)
    • 12. Wicked Folders
    • 13. SupportCandy
    • 14. Rearrange Woocommerce Products
    • 15. IP2Location Country Blocker
    • 16. Awesome Support – WordPress HelpDesk & Support Plugin
    • 17. Ultimate Product Catalog
    • 18. Document Embedder
    • 19. RVM – Responsive Vector Maps
    • 20. Mediamatic 
    • 21. Woopra
    • 22. User Rights Access Manager
    • 23. YuMoney button
    • 24. TrustMate.io integration for WooCommerce
    • 25. True Ranker
    • 26. WebHotelier for WordPress
  • Premium Plugin Vulnerabilities
    • 27. Advanced Cron Manager Pro
  • WordPress Plugin Vulnerabilities: No Known Fix
    • 28. Contact Form 7 Skins
    • 29. WooRockets Nitro
    • 30. Amazon Affiliate
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Security Monitoring
Want this report delivered to your inbox each week?
Subscribe to the weekly email

WordPress Core Vulnerabilities

The latest version of WordPress core was released on January 6, 2022 as a short-cycle security release. Because WordPress 5.8.3 is a security release, we recommend that you update all your sites immediately.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.

If you have sites that have enabled automatic background updates, they should have already updated successfully.

WordPress Core

Vulnerability: SQL Injection via WP_Query
Patched in Version: 5.8.3
Explanation: Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection.

The vulnerability has been patched, so make sure you are running WordPress 5.8.3.

Vulnerability: Author+ Stored XSS via Post Slugs
Patched in Version: 5.8.3
Explanation: Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack via post slugs, which can affect high-privileged users.

The vulnerability has been patched, so make sure you are running WordPress 5.8.3.

Vulnerability: Super Admin Object Injection in Multisites
Patched in Version: 5.8.3
Explanation: On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection.

The vulnerability has been patched, so make sure you are running WordPress 5.8.3.

Vulnerability: SQL Injection via WP_Meta_Query
Patched in Version: 5.8.3
Explanation: Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection.

The vulnerability has been patched, so make sure you are running WordPress 5.8.3.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

1. SVG Support

Plugin: SVG Support
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 800,000+
Patched in Version: 2.3.20
Severity Score: Low

The vulnerability is patched, so you should update to version 2.3.20.

2. Asset CleanUp

Plugin: Asset CleanUp
Vulnerability: Reflected Cross-Site Scripting via AJAX Action
Active Installation: 100,000+
Patched in Version: 1.3.8.5
Severity Score: High

The vulnerability is patched, so you should update to version 1.3.8.5.

Plugin: Asset CleanUp
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 1.3.8.5
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.8.5.

3. Paid Memberships Pro

Plugin: Paid Memberships Pro
Vulnerability: Unauthenticated Blind SQL Injection
Active Installation: 100,000+
Patched in Version: 2.6.7
Severity Score: Critical

The vulnerability is patched, so you should update to version 2.6.7.

4. NextScripts: Social Networks Auto-Poster 

Plugin: NextScripts: Social Networks Auto-Poster 
Vulnerability: Arbitrary Post Deletion via CSRF
Active Installation: 90,000+
Patched in Version: 4.3.25
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.3.25.

Plugin: NextScripts: Social Networks Auto-Poster 
Vulnerability: Unauthenticated Stored XSS
Active Installation: 90,000+
Patched in Version: 4.3.25
Severity Score: High

The vulnerability is patched, so you should update to version 4.3.25.

5. Ivory Search

Plugin: Ivory Search
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 80,000+
Patched in Version: 5.4.1
Severity Score: High

The vulnerability is patched, so you should update to version 5.4.1.

6. Easy Social Feed

Plugin: Easy Social Feed
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 70,000+
Patched in Version: 6.2.7
Severity Score: High

The vulnerability is patched, so you should update to version 6.2.7.

7. Visual CSS Style Editor

Plugin: Visual CSS Style Editor
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 50,000+
Patched in Version: 7.5.4
Severity Score: High

The vulnerability is patched, so you should update to version 7.5.4.

8. Contact Form Entries

Plugin: Contact Form Entries
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.1.7
Severity Score: High

The vulnerability is patched, so you should update to version 1.1.7.

9. Advanced Cron Manager

Plugin: Advanced Cron Manager
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Active Installation: 30,000+
Patched in Version: 2.4.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.2.

10. WPLegalPages

Plugin: WPLegalPages
Vulnerability: Subscriber+ Arbitrary Settings Update to Stored XSS
Active Installation: 20,000+
Patched in Version: 2.7.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.7.1.

11. WP Visitor Statistics (Real Time Traffic)

Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Subscriber+ SQL Injection
Active Installation: 20,000+
Patched in Version: 4.8
Severity Score: High

The vulnerability is patched, so you should update to version 4.8.

12. Wicked Folders

Plugin: Wicked Folders
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 2.8.10
Severity Score: High

The vulnerability is patched, so you should update to version 2.8.10.

13. SupportCandy

Plugin: SupportCandy
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.7.

Plugin: SupportCandy
Vulnerability: CSRF to Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.7.

Plugin: SupportCandy
Vulnerability: Arbitrary Ticket Deletion via CSRF
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: High

The vulnerability is patched, so you should update to version 2.2.7.

Plugin: SupportCandy
Vulnerability: Unauthenticated Arbitrary Ticket Deletion
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: High

The vulnerability is patched, so you should update to version 2.2.7.

Plugin: SupportCandy
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.2.7.

14. Rearrange Woocommerce Products

Plugin: Rearrange Woocommerce Products
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 3.0.8
Severity Score: High

The vulnerability is patched, so you should update to version 3.0.8.

15. IP2Location Country Blocker

Plugin: IP2Location Country Blocker
Vulnerability: Arbitrary Country Ban via CSRF
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.26.6.

Plugin: IP2Location Country Blocker
Vulnerability: Subscriber+ Arbitrary Country Ban
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.26.6.

Plugin: IP2Location Country Blocker
Vulnerability: Ban Bypass
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.26.6.

16. Awesome Support – WordPress HelpDesk & Support Plugin

Plugin: Awesome Support – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 10,000+
Patched in Version: 6.0.11
Severity Score: High

The vulnerability is patched, so you should update to version 6.0.11.

17. Ultimate Product Catalog

Plugin: Ultimate Product Catalog
Vulnerability: Subscriber+ Arbitrary Product Creation & Settings Update
Active Installation: 10,000
Patched in Version: 5.0.26
Severity Score: Medium

The vulnerability is patched, so you should update to version 5.0.26.

18. Document Embedder

Plugin: Document Embedder
Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Active Installation: 9,000+
Patched in Version: 1.7.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.9.

Plugin: Document Embedder
Vulnerability: Unauthenticated Arbitrary Private/Draft Post Title Disclosure
Active Installation: 9,000+
Patched in Version: 1.7.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.9.

19. RVM – Responsive Vector Maps

Plugin: RVM – Responsive Vector Maps
Vulnerability: Subscriber+ Arbitrary File Read
Active Installation: 6,000+
Patched in Version: 6.4.2
Severity Score: High

The vulnerability is patched, so you should update to version 6.4.2.

20. Mediamatic 

Plugin: Mediamatic 
Vulnerability: Subscriber+ SQL Injection
Active Installation: 3,000+
Patched in Version: 2.8.1
Severity Score: High

The vulnerability is patched, so you should update to version 2.8.1.

21. Woopra

Plugin: Woopra
Vulnerability: Unauthenticated Arbitrary File Upload
Active Installation: 2,000+
Patched in Version: 1.4.3.2
Severity Score: Critical

The vulnerability is patched, so you should update to version 1.4.3.2.

22. User Rights Access Manager

Plugin: User Rights Access Manager
Vulnerability: Access Restriction Bypass
Active Installation: 900+
Patched in Version: 1.0.8
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.8.

23. YuMoney button

Plugin: YuMoney button – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 900+
Patched in Version: 2.4.0
Severity Score: High

The vulnerability is patched, so you should update to version 2.4.0.

24. TrustMate.io integration for WooCommerce

Plugin: TrustMate.io integration for WooCommerce
Vulnerability: Subscriber+ Arbitrary Plugin’s Settings Update
Active Installation: 300+
Patched in Version: 1.8.12
Severity Score: High

The vulnerability is patched, so you should update to version 1.8.12.

Plugin: TrustMate.io integration for WooCommerce
Vulnerability: Subscriber+ Arbitrary Blog Option Update
Active Installation: 300+
Patched in Version: 1.7.1
Severity Score: High

The vulnerability is patched, so you should update to version 1.8.12.

25. True Ranker

Plugin: True Ranker
Vulnerability: Unauthenticated Arbitrary File Access via Path Traversal
Active Installation: 300+
Patched in Version: 2.2.4
Severity Score: High

The vulnerability is patched, so you should update to version 2.2.4.

26. WebHotelier for WordPress

Plugin: WebHotelier for WordPress – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 200+
Patched in Version: 1.6.1
Severity Score: High

The vulnerability is patched, so you should update to version 1.6.1.

Premium Plugin Vulnerabilities

In this section, the latest WordPress premium plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

27. Advanced Cron Manager Pro

Plugin: Advanced Cron Manager Pro  
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Patched in Version: 2.5.3
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.5.3.

WordPress Plugin Vulnerabilities: No Known Fix

In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.

28. Contact Form 7 Skins

Plugin: Contact Form 7 Skins
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 30,000+
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

29. WooRockets Nitro

Plugin: WooRockets Nitro
Vulnerability: Unauthenticated Arbitrary Plugin Installation
Patched in Version: No known fix
Severity Score: Critical

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

30. Amazon Affiliate

Plugin: Amazon Affiliate
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Activate File Change Detection

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices
  • reCAPTCHA
  • Brute force protection
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

iThemes Team
iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
WordPress vulnerability report
WordPress Vulnerability Report – September 13, 2023
WordPress Vulnerability Report
WordPress Vulnerability Report – September 6, 2023
wordpress vulnerability report - security
WordPress Vulnerability Report – August 30, 2023
WordPress Vulnerability Report
WordPress Vulnerability Report – August 23, 2023

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.