WordPress Vulnerability Report

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

How Hackers Exploit WordPress Plugin Vulnerabilities

WEDNESDAY, APRIL 6, 2022 @ 1:00 – 2:00 PM (CT)

A FREE ONLINE TRAINING EVENT from the ithemes security team

For many, hackers exploiting plugin vulnerabilities seems mysterious and even frightening. In this webinar, WordPress security expert Kathy Zant will give you a quick and simple overview of how plugin vulnerabilities work with an actual demonstration of an old plugin vulnerability being exploited. This demonstration will underscore how important it is to keep your plugins updated. We’ll also talk about some common attacks and how iThemes Security helps you make good decisions to keep your WordPress websites secure.

Can’t make the live training? Go ahead and register and we’ll email you the replays. See webinar in your time zone.

WordPress Core Vulnerabilities

WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fix and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Installations: 1,000,000+
Vulnerability: Unauthenticated Email Address Disclosure
Patched in Version: 3.6.8-wp
Severity Score: Medium

Loco Translate

Plugin: Loco Translate
Installations: 1,000,000+
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 2.6.1
Severity Score: High

Safe SVG

Plugin: Safe SVG
Installations: 600,000+
Vulnerability: SVG Sanitization Bypass
Patched in Version: 1.9.10
Severity Score: Medium

Caldera Forms

Plugin: Caldera Forms – More Than Contact Forms
Installations: 200,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.7
Severity Score: Medium

WP Downgrade

Plugin: WP Downgrade | Specific Core Version
Installations: 100,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.2.3
Severity Score: Low

Hummingbird

Plugin: Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS
Installations: 100,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.3.2
Severity Score: Low

Easy Digital Downloads

Plugin: Easy Digital Downloads – Simple eCommerce for Selling Digital Files
Installations: 50,000+
Vulnerability: Arbitrary Payment Note Insertion via CSRF; Admin+ Stored Cross-Site Scripting
Patched in Version: 2.11.6
Severity Score: Low

Woo Product Table

Plugin: Product Table for WooCommerce (wooproducttable.com)
Installations: 8,000+
Vulnerability: Unauthenticated Arbitrary Function Call
Patched in Version: 3.1.2
Severity Score: Critical

Shopping Cart & eCommerce Store

Plugin: Shopping Cart & eCommerce Store
Installations: 6,000+
Vulnerability: Arbitrary Design Settings Update via CSRF
Patched in Version: 5.2.5
Severity Score: Medium

RSVP and Event Management

Plugin: RSVP and Event Management Plugin
Installations: 5,000+
Vulnerability: Unauthenticated Entries Export
Patched in Version: 2.7.8
Severity Score: High

Text Hover

Plugin: Text Hover
Installations: 3,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.2
Severity Score: Low

SearchIQ

Plugin: SearchIQ – The Search Solution
Installations: 2,000+
Vulnerability: Unauthenticated Stored XSS
Patched in Version: 3.9
Severity Score: High

Simple Event Planner

Plugin: Simple Event Planner
Installations: 1,000+
Vulnerability: Author+ Stored Cross-Site Scripting
Patched in Version: 1.5.5
Severity Score: Medium

Daily Prayer Time

Plugin: Daily Prayer Time
Installations: 1,000+
Vulnerability: Unauthenticated SQLi
Patched in Version: 2022.03.01
Severity Score: High

GS Variation Swatches for WooCommerce

Plugin: GS Variation Swatches for WooCommerce
Installations: 200+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.6.0
Severity Score: Medium

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

EXMAGE

Plugin: EXMAGE – WordPress Image Links
Installations: 2,000+
Vulnerability: Admin+ Blind SSRF
Patched in Version: No Fix
Severity Score: Low

Good & Bad Comments

Plugin: Good & Bad comments
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Thank Me Later

Plugin: Thank Me Later
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Page Security & Membership

Plugin: Page Security & Membership
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Autolinks

Plugin: Autolinks
Vulnerability: Stored Cross-Site Scripting via CSRF
Patched in Version: No Fix
Severity Score: Medium

Amministrazione Aperta

Plugin: Amministrazione Aperta
Vulnerability: Admin+ LFI
Patched in Version: No Fix
Severity Score: Low

Ad Injection

Plugin: Ad Injection
Vulnerability: Admin+ Stored Cross-Site Scripting & RCE
Patched in Version: No Fix
Severity Score: High

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Good news! No new WordPress theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Vulnerabilities

The Site Scanner checks your site for known vulnerabilities, including plugins, themes, and WordPress core. It also scans Google’s blocklist status and will alert you if Google has found any malware on your website.

3. Activate Automatic Vulnerability Patching

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you … so you don’t have to care about these reports.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Site scanner for plugin and theme vulnerabilities
File change detection
Real-time website security dashboard
WordPress security logs
Trusted devices to protect from session hijacking
reCAPTCHA
Brute force protection
Privilege escalation
Compromised passwords check & refusal

WordPress Vulnerability Report – March 30, 2022

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

Ninja Forms

Loco Translate

Safe SVG

Caldera Forms

WP Downgrade

Hummingbird

Easy Digital Downloads

Woo Product Table

Shopping Cart & eCommerce Store

RSVP and Event Management

Text Hover

SearchIQ

Simple Event Planner

Daily Prayer Time

GS Variation Swatches for WooCommerce

WordPress Plugin Vulnerabilities – No Known Fix

EXMAGE

Good & Bad Comments

Thank Me Later

Page Security & Membership

Autolinks

Amministrazione Aperta

Ad Injection

WordPress Theme Vulnerabilities

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

1. Install the iThemes Security Pro Plugin

2. Enable the Site Scan to Check for Vulnerabilities

3. Activate Automatic Vulnerability Patching

Get iThemes Security Pro with 24/7 Website Security Monitoring

Get iThemes Security Pro

About iThemes

Resources

Customers

Top Products

WordPress Vulnerability Report – March 30, 2022

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

1. Install the iThemes Security Pro Plugin

2. Enable the Site Scan to Check for Vulnerabilities

3. Activate Automatic Vulnerability Patching

Get iThemes Security Pro with 24/7 Website Security Monitoring

Get iThemes Security Pro

Other related posts

About iThemes

Resources

Customers

Top Products