Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – March 9, 2022

Written by Michael Moore on March 9, 2022

Last Updated on March 9, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the March 9, 2022 Report
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • MC4WP
    • Translate WordPress with GTranslate
    • Popup Builder
    • String Locator
    • Menu Image, Icons made easy
    • Amelia
    • Drag and Drop Multiple File Upload – Contact Form 7
    • WordPress File Upload
    • WPC Smart Wishlist for WooCommerce
    • SpeakOut! Email Petitions
    • Church Admin
    • Coupon Affiliates
    • Revision Manager TMC
    • Title Experiments Free
    • Task Scheduler
    • Limit Login Attempts (Spam Protection)
    • Popup Like box
    • Admin Page Framework
    • Conference Scheduler
    • Plezi
    • WordPress File Upload
  • WordPress Plugin Vulnerabilities – No Known Fix
    • Pz-LinkCard
    • WP Block and Stop Bad Bots
    • Sermon Browser
    • Faculty Weekly Schedule
    • Read Offline
    • OSMapper
    • Bank Mellat
    • Better Search TMC
    • Bulk Creator
    • Delete Old Orders
    • Mapping Multiple URLs Redirect Same Page
    • Multilist Subscribe for Sendy
    • Akismet Privacy Policies
    • Interactive Medical Drawing of Human Body
    • dTabs
    • Narnoo Distributor
    • Sync WooCommerce Product feed to Google Shopping
    • Database Peek
    • Wow Countdowns
  • Updates Continue for 400+ Plugins, Themes Impacted by Insecure Freemius Version
  • WordPress Theme Vulnerabilities
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Security Monitoring

WordPress Core Vulnerabilities

WordPress 5.9.1 was released on February 22, 2022, as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

MC4WP

Product image for MC4WP: Mailchimp for WordPress.
Plugin
MC4WP: Mailchimp for WordPress
Installations
2,000,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
4.8.7
Severity Score
Low
The vulnerability has been patched, so you should update to version 4.8.7.

Translate WordPress with GTranslate

Product image for Translate WordPress with GTranslate.
Plugin
Translate WordPress with GTranslate
Installations
300,000+
Vulnerability
CSRF to Account Takeover
Patched in Version
2.9.9
Severity Score
High
The vulnerability has been patched, so you should update to version 2.9.9.

Popup Builder

Product image for Popup Builder – Create highly converting, mobile friendly marketing popups..
Plugin
Popup Builder – Create highly converting, mobile friendly marketing popups.
Installations
200,000+
Vulnerability
SQL Injection to Reflected Cross-Site Scripting
Patched in Version
4.1.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.1.1.

String Locator

Product image for String locator.
Plugin
String locator
Installations
100,000+
Vulnerability
Admin+ Arbitrary File Read
Patched in Version
2.5.0
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.5.0.

Menu Image, Icons made easy

Product image for Menu Image, Icons made easy.
Plugin
Menu Image, Icons made easy
Installations
100,000+
Vulnerability
Subscriber+ Stored Cross-Site Scripting
Patched in Version
3.0.8
Severity Score
High
The vulnerability has been patched, so you should update to version 3.0.8.

Amelia

Product image for Amelia – Events & Appointments Booking Calendar.
Plugin
Amelia – Events & Appointments Booking Calendar
Installations
40,000+
Vulnerability
Unauthenticated Stored XSS via lastName; Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
Patched in Version
1.0.47
Severity Score
High
The vulnerability has been patched, so you should update to version 1.0.47.

Drag and Drop Multiple File Upload – Contact Form 7

Product image for Drag and Drop Multiple File Upload – Contact Form 7.
Plugin
Drag and Drop Multiple File Upload – Contact Form 7
Installations
40,000+
Vulnerability
Unauthenticated Stored XSS
Patched in Version
1.3.6.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.3.6.3.

WordPress File Upload

Product image for WordPress File Upload.
Plugin
WordPress File Upload
Installations
30,000+
Vulnerability
Contributor+ Path Traversal to RCE
Patched in Version
4.16.3
Severity Score
Critical
The vulnerability has been patched, so you should update to version 4.16.3.

WPC Smart Wishlist for WooCommerce

Product image for WPC Smart Wishlist for WooCommerce.
Plugin
WPC Smart Wishlist for WooCommerce
Installations
30,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.9.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.9.4.

SpeakOut! Email Petitions

Plugin
SpeakOut! Email Petitions
Installations
5,000+
Vulnerability
Unauthenticated SQLi
Patched in Version
2.14.15.1
Severity Score
High
The vulnerability has been patched, so you should update to version 2.14.15.1.

Church Admin

Product image for Church Admin.
Plugin
Church Admin
Installations
1,000+
Vulnerability
Unauthenticated Plugin’s Backup Disclosure
Patched in Version
3.4.135
Severity Score
High
The vulnerability has been patched, so you should update to version 3.4.135.

Coupon Affiliates

Product image for WooCommerce Affiliate Plugin – Coupon Affiliates.
Plugin
WooCommerce Affiliate Plugin – Coupon Affiliates
Installations
1,000+
Vulnerability
Unauthenticated Stored XSS
Patched in Version
4.16.4.5
Severity Score
High
The vulnerability has been patched, so you should update to version 4.16.4.5.

Revision Manager TMC

Product image for Revision Manager TMC.
Plugin
Revision Manager TMC
Installations
1,000+
Vulnerability
Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version
2.8.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.8.0.

Title Experiments Free

Product image for Title Experiments Free.
Plugin
Title Experiments Free
Installations
800+
Vulnerability
Unauthenticated SQLi
Patched in Version
9.0.1
Severity Score
High
The vulnerability has been patched, so you should update to version 9.0.1.

Task Scheduler

Product image for Task Scheduler.
Plugin
Task Scheduler
Installations
500+
Vulnerability
Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version
1.6.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.6.1.

Limit Login Attempts (Spam Protection)

Product image for Limit Login Attempts (Spam Protection).
Plugin
Limit Login Attempts (Spam Protection)
Installations
300+
Vulnerability
Unauthenticated SQLi
Patched in Version
5.1
Severity Score
High
The vulnerability has been patched, so you should update to version 5.1.

Popup Like box

Product image for Popup Like box – Page Plugin.
Plugin
Popup Like box – Page Plugin
Installations
300+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
3.6.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.6.1.

Admin Page Framework

Product image for Admin Page Framework.
Plugin
Admin Page Framework
Installations
200+
Vulnerability
Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version
3.9.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.9.0.

Conference Scheduler

Plugin
Conference Scheduler
Installations
200+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.4.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.4.3.

Plezi

Product image for Plezi.
Plugin
Plezi
Installations
100+
Vulnerability
Unauthenticated Stored XSS
Patched in Version
1.0.3
Severity Score
High
The vulnerability has been patched, so you should update to version 1.0.3.

WordPress File Upload

Plugin
Vulnerability
Contributor+ Path Traversal to RCE
Patched in Version
4.16.3
Severity Score
Critical
The vulnerability has been patched, so you should update to version 4.16.3.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Pz-LinkCard

Plugin
Pz-LinkCard
Installations
30,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

WP Block and Stop Bad Bots

Plugin
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Sermon Browser

Plugin
Sermon Browser
Vulnerability
Arbitrary File Upload via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Faculty Weekly Schedule

Plugin
Faculty Weekly Schedule
Vulnerability
Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Read Offline

Plugin
Read Offline
Vulnerability
Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

OSMapper

Plugin
OSMapper
Vulnerability
Unauthenticated Arbitrary Post Deletion
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Bank Mellat

Plugin
Bank Mellat
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Better Search TMC

Plugin
Better Search TMC
Vulnerability
Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Bulk Creator

Plugin
Bulk Creator
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Delete Old Orders

Plugin
Delete Old Orders
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Mapping Multiple URLs Redirect Same Page

Plugin
Mapping multiple URLs redirect same page
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Multilist Subscribe for Sendy

Plugin
Multilist Subscribe for Sendy
Vulnerability
Subscriber+ Arbitrary Options Update
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Akismet Privacy Policies

Plugin
Akismet Privacy Policies
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Interactive Medical Drawing of Human Body

Plugin
Interactive Medical Drawing of Human Body
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

dTabs

Plugin
dTabs
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Narnoo Distributor

Plugin
Narnoo Distributor
Vulnerability
Unauthenticated LFI to Arbitrary File Read / RCE
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Sync WooCommerce Product feed to Google Shopping

Plugin
Sync WooCommerce Product feed to Google Shopping
Vulnerability
Admin+ SQLi
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Database Peek

Plugin
Database Peek
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Wow Countdowns

Plugin
Wow Countdowns – easily create any countdowns, counters and timers
Vulnerability
Admin+ SQLi
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Updates Continue for 400+ Plugins, Themes Impacted by Insecure Freemius Version

Last week, it was discovered that many plugins and themes are using an insecure version of the Freemius Framework, which is used to power their upsell paths from free to Pro.

As of this report, over 400 plugins and 25 themes are impacted. Because the list is so large, we’re linking directly to the WPScan vulnerability disclosure for the latest information about patches.

Actions to take:

  • Update all your themes and plugins to the latest versions.
  • Be sure to turn on automatic updates for your plugins and themes as developers continue to release updates.
  • Activate the iThemes Security Site Scan module to get a notification if we find that you are running a vulnerable plugin or theme.
  • Turn on Version Management in iThemes Security to handle automatic vulnerability patching.

Read the Latest Report

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • Good news! No new WordPress theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Vulnerabilities

The Site Scanner checks your site for known vulnerabilities, including plugins, themes, and WordPress core. It also scans Google’s blocklist status and will alert you if Google has found any malware on your website.

3. Activate Automatic Vulnerability Patching

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you … so you don’t have to care about these reports.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices to protect from session hijacking
  • reCAPTCHA
  • Brute force protection
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
WordPress vulnerability report
WordPress Vulnerability Report – June 22, 2022
what-is-a-pharma-hack
What is a WordPress Pharma Hack?
WordPress vulnerability report
WordPress Vulnerability Report, Special Edition – June 20, 2022: Critical Vulnerability in Ninja Forms
wordpress vulnerability report
WordPress Vulnerability Report – June 15, 2022

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap