Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – May 11, 2022

Written by iThemes Editorial Team on May 11, 2022

Last Updated on May 11, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the May 11, 2022 Report
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • Smush
    • Form Maker By 10Web
    • Change wp-admin Login
    • External Links in New Window / New Tab
    • Team Members
    • Bulk Page Creator
    • JivoChat
    • WP 2FA
    • VikBooking
    • User Meta
    • Poll Maker
    • Content Mask
    • Enable SVG
    • StaffList
  • WordPress Plugin Vulnerabilities – No Known Fix
    • WP JS
    • Slideshow
    • No Future Posts
    • Call&Book Mobile Bar
    • Amazon Link
    • IMDB info box
    • Simple Real Estate Pack
    • HPB Dashboard
    • Quotes llama
    • Andrea Pernici News Sitemap for Google
    • BannerMan
    • Birthdays Widget
    • Easy FAQ with Expanding Text
  • WordPress Theme Vulnerabilities
  • Never worry about running a vulnerable plugin or theme again.
  • The Best WordPress Security Plugin to Secure & Protect WordPress Sites
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

Smush

Product image for Smush – Lazy Load Images, Optimize & Compress Images.
Plugin
Smush – Lazy Load Images, Optimize & Compress Images
Installations
1,000,000+
Vulnerability
Admin+ Reflected Cross-Site Scripting
Patched in Version
3.9.9
Severity Score
Low
The vulnerability has been patched, so you should update to version 3.9.9.

Form Maker By 10Web

Product image for Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder.
Plugin
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Installations
80,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.14.12
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.14.12.

Change wp-admin Login

Product image for Change wp-admin login.
Plugin
Change wp-admin login
Installations
70,000+
Vulnerability
Unauthenticated Arbitrary Settings Update
Patched in Version
1.1.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.0.

External Links in New Window / New Tab

Product image for External Links in New Window / New Tab.
Plugin
External Links in New Window / New Tab
Installations
40,000+
Vulnerability
Tabnabbing; Unauthenticated Stored Cross-Site Scripting
Patched in Version
1.43
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.43.

Team Members

Product image for Team Members.
Plugin
Team Members
Installations
40,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
5.1.1
Severity Score
Low
The vulnerability has been patched, so you should update to version 5.1.1.

Bulk Page Creator

Plugin
Bulk Page Creator
Installations
30,000+
Vulnerability
Arbitrary Page Creation via CSRF
Patched in Version
1.1.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.4.

JivoChat

Product image for JivoChat Live Chat – WP live chat plugin for WordPress.
Plugin
JivoChat Live Chat – WP live chat plugin for WordPress
Installations
30,000+
Vulnerability
Stored Cross-Site Scripting via CSRF
Patched in Version
1.3.5.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.3.5.4.

WP 2FA

Product image for WP 2FA – Two-factor authentication for WordPress.
Plugin
WP 2FA – Two-factor authentication for WordPress
Installations
20,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.2.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.2.1.

VikBooking

Product image for VikBooking Hotel Booking Engine & PMS.
Plugin
VikBooking Hotel Booking Engine & PMS
Installations
3,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.5.9
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.5.9.

User Meta

Product image for User Meta – User Profile Builder and User management plugin.
Plugin
User Meta – User Profile Builder and User management plugin
Installations
3,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
2.4.3
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.4.3.

Poll Maker

Product image for Poll Maker.
Plugin
Poll Maker
Installations
3,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
4.0.2
Severity Score
Low
The vulnerability has been patched, so you should update to version 4.0.2.

Content Mask

Product image for Content Mask.
Plugin
Content Mask
Installations
1,000+
Vulnerability
Subscriber+ Arbitrary Options Update
Patched in Version
1.8.4.1
Severity Score
High
The vulnerability has been patched, so you should update to version 1.8.4.1.

Enable SVG

Plugin
Enable SVG
Installations
500+
Vulnerability
Author+ Stored Cross Site Scripting via SVG
Patched in Version
1.4.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.4.0.

StaffList

Product image for StaffList.
Plugin
StaffList
Installations
200+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
3.1.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.1.7.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

WP JS

Plugin
WP JS
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Slideshow

Plugin
Slideshow
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

No Future Posts

Plugin
No Future Posts
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Call&Book Mobile Bar

Plugin
Call&Book Mobile Bar
Vulnerability
Admin+ Stored Cross Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Amazon Link

Plugin
Amazon Link
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

IMDB info box

Plugin
IMDB Info Box
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Simple Real Estate Pack

Plugin
Simple Real Estate Pack
Vulnerability
Admin+ Stored Cross Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

HPB Dashboard

Plugin
hpb Dashboard
Vulnerability
Admin+ Stored Cross Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Quotes llama

Plugin
Quotes llama
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Andrea Pernici News Sitemap for Google

Plugin
Andrea Pernici News Sitemap for Google
Vulnerability
Contributor+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

BannerMan

Plugin
BannerMan
Vulnerability
Multiple Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Birthdays Widget

Plugin
Birthdays Widget
Vulnerability
Admin+ Stored Cross Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Easy FAQ with Expanding Text

Plugin
Easy FAQ with Expanding Text
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • Good news! No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the WPScan Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Get iThemes Security Pro

iThemes Team
iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
Small Business Spearfishing
Small Business Cyberattacks and Spearfishing: Are You at Risk?
wordpress vulnerability report - security
WordPress Vulnerability Report – May 31, 2023
WordPress Vulnerability Report
WordPress Vulnerability Report – May 24, 2023
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – May 17, 2023

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.