Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core Vulnerabilities
The latest version of WordPress core was released on January 6, 2022 as a short-cycle security release. Because WordPress 5.8.3 is a security release, we recommend that you update all your sites immediately.
You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
If you have sites that have enabled automatic background updates, they should have already updated successfully.
WordPress Core
Vulnerability: SQL Injection via WP_Query
Patched in Version: 5.8.3
Explanation: Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection.
Vulnerability: Author+ Stored XSS via Post Slugs
Patched in Version: 5.8.3
Explanation: Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack via post slugs, which can affect high-privileged users.
Vulnerability: Super Admin Object Injection in Multisites
Patched in Version: 5.8.3
Explanation: On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection.
Vulnerability: SQL Injection via WP_Meta_Query
Patched in Version: 5.8.3
Explanation: Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
1. SVG Support
Plugin: SVG Support
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 800,000+
Patched in Version: 2.3.20
Severity Score: Low
2. Asset CleanUp
Plugin: Asset CleanUp
Vulnerability: Reflected Cross-Site Scripting via AJAX Action
Active Installation: 100,000+
Patched in Version: 1.3.8.5
Severity Score: High
Plugin: Asset CleanUp
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 1.3.8.5
Severity Score: Medium
3. Paid Memberships Pro
Plugin: Paid Memberships Pro
Vulnerability: Unauthenticated Blind SQL Injection
Active Installation: 100,000+
Patched in Version: 2.6.7
Severity Score: Critical
4. NextScripts: Social Networks Auto-Poster
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Arbitrary Post Deletion via CSRF
Active Installation: 90,000+
Patched in Version: 4.3.25
Severity Score: Medium
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Unauthenticated Stored XSS
Active Installation: 90,000+
Patched in Version: 4.3.25
Severity Score: High
5. Ivory Search
Plugin: Ivory Search
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 80,000+
Patched in Version: 5.4.1
Severity Score: High
6. Easy Social Feed
Plugin: Easy Social Feed
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 70,000+
Patched in Version: 6.2.7
Severity Score: High
7. Visual CSS Style Editor
Plugin: Visual CSS Style Editor
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 50,000+
Patched in Version: 7.5.4
Severity Score: High
8. Contact Form Entries
Plugin: Contact Form Entries
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 1.1.7
Severity Score: High
9. Advanced Cron Manager
Plugin: Advanced Cron Manager
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Active Installation: 30,000+
Patched in Version: 2.4.2
Severity Score: Medium
10. WPLegalPages
Plugin: WPLegalPages
Vulnerability: Subscriber+ Arbitrary Settings Update to Stored XSS
Active Installation: 20,000+
Patched in Version: 2.7.1
Severity Score: Medium
11. WP Visitor Statistics (Real Time Traffic)
Plugin: WP Visitor Statistics (Real Time Traffic)
Vulnerability: Subscriber+ SQL Injection
Active Installation: 20,000+
Patched in Version: 4.8
Severity Score: High
12. Wicked Folders
Plugin: Wicked Folders
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 2.8.10
Severity Score: High
13. SupportCandy
Plugin: SupportCandy
Vulnerability: Contributor+ Stored Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: Medium
Plugin: SupportCandy
Vulnerability: CSRF to Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: Medium
Plugin: SupportCandy
Vulnerability: Arbitrary Ticket Deletion via CSRF
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: High
Plugin: SupportCandy
Vulnerability: Unauthenticated Arbitrary Ticket Deletion
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: High
Plugin: SupportCandy
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 10,000+
Patched in Version: 2.2.7
Severity Score: Medium
14. Rearrange Woocommerce Products
Plugin: Rearrange Woocommerce Products
Vulnerability: Subscriber+ SQL Injection
Active Installation: 10,000+
Patched in Version: 3.0.8
Severity Score: High
15. IP2Location Country Blocker
Plugin: IP2Location Country Blocker
Vulnerability: Arbitrary Country Ban via CSRF
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity Score: Medium
Plugin: IP2Location Country Blocker
Vulnerability: Subscriber+ Arbitrary Country Ban
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity Score: Medium
Plugin: IP2Location Country Blocker
Vulnerability: Ban Bypass
Active Installation: 10,000+
Patched in Version: 2.26.6
Severity Score: Medium
16. Awesome Support – WordPress HelpDesk & Support Plugin
Plugin: Awesome Support – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 10,000+
Patched in Version: 6.0.11
Severity Score: High
17. Ultimate Product Catalog
Plugin: Ultimate Product Catalog
Vulnerability: Subscriber+ Arbitrary Product Creation & Settings Update
Active Installation: 10,000
Patched in Version: 5.0.26
Severity Score: Medium
18. Document Embedder
Plugin: Document Embedder
Vulnerability: Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Active Installation: 9,000+
Patched in Version: 1.7.9
Severity Score: Medium
Plugin: Document Embedder
Vulnerability: Unauthenticated Arbitrary Private/Draft Post Title Disclosure
Active Installation: 9,000+
Patched in Version: 1.7.9
Severity Score: Medium
19. RVM – Responsive Vector Maps
Plugin: RVM – Responsive Vector Maps
Vulnerability: Subscriber+ Arbitrary File Read
Active Installation: 6,000+
Patched in Version: 6.4.2
Severity Score: High
20. Mediamatic
Plugin: Mediamatic
Vulnerability: Subscriber+ SQL Injection
Active Installation: 3,000+
Patched in Version: 2.8.1
Severity Score: High
21. Woopra
Plugin: Woopra
Vulnerability: Unauthenticated Arbitrary File Upload
Active Installation: 2,000+
Patched in Version: 1.4.3.2
Severity Score: Critical
22. User Rights Access Manager
Plugin: User Rights Access Manager
Vulnerability: Access Restriction Bypass
Active Installation: 900+
Patched in Version: 1.0.8
Severity Score: Medium
23. YuMoney button
Plugin: YuMoney button – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 900+
Patched in Version: 2.4.0
Severity Score: High
24. TrustMate.io integration for WooCommerce
Plugin: TrustMate.io integration for WooCommerce
Vulnerability: Subscriber+ Arbitrary Plugin’s Settings Update
Active Installation: 300+
Patched in Version: 1.8.12
Severity Score: High
Plugin: TrustMate.io integration for WooCommerce
Vulnerability: Subscriber+ Arbitrary Blog Option Update
Active Installation: 300+
Patched in Version: 1.7.1
Severity Score: High
25. True Ranker
Plugin: True Ranker
Vulnerability: Unauthenticated Arbitrary File Access via Path Traversal
Active Installation: 300+
Patched in Version: 2.2.4
Severity Score: High
26. WebHotelier for WordPress
Plugin: WebHotelier for WordPress – Titan Framework
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 200+
Patched in Version: 1.6.1
Severity Score: High
Premium Plugin Vulnerabilities
In this section, the latest WordPress premium plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
27. Advanced Cron Manager Pro
Plugin: Advanced Cron Manager Pro
Vulnerability: Subscriber+ Arbitrary Events/Schedules Creation/Deletion
Patched in Version: 2.5.3
Severity Score: Medium
WordPress Plugin Vulnerabilities: No Known Fix
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.
28. Contact Form 7 Skins
Plugin: Contact Form 7 Skins
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 30,000+
Patched in Version: No known fix
Severity Score: Medium
29. WooRockets Nitro
Plugin: WooRockets Nitro
Vulnerability: Unauthenticated Arbitrary Plugin Installation
Patched in Version: No known fix
Severity Score: Critical
30. Amazon Affiliate
Plugin: Amazon Affiliate
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
