WordPress Vulnerability Report

WordPress Vulnerability Report – May 18, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of low, medium, high, or critical.

Avatar photo
SolidWP Editorial Team

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Get SolidWP tips direct in your inbox

Sign up

This field is for validation purposes and should be left unchanged.
Placeholder text
Placeholder text
Thanks

Oops something went wrong, please try submitting again

Get started with confidence — risk free, guaranteed

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

WP Statistics

Installations:
600,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
13.2.2
Severity Score:
Low
The vulnerability has been patched, so you should update to version 13.2.2.

FiboSearch

Installations:
100,000+
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
1.18.0
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.18.0.

Database Backup for WordPress

Installations:
100,000+
Vulnerability:
Arbitrary Schedule Settings Update via CSRF
Patched in Version:
2.5.2
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2.5.2.

Throws SPAM Away

Installations:
20,000+
Vulnerability:
Comment Deletion via CSRF
Patched in Version:
3.3.1
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 3.3.1.

WP Simple Adsense Insertion

Installations:
9,000+
Vulnerability:
Inject ads and javascript via CSRF
Patched in Version:
2.1
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2.1.
Installations:
7,000+
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
1.4.8
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.4.8.

FormCraft Basic

Installations:
5,000+
Vulnerability:
Admin+ Stored Cross Site Scripting
Patched in Version:
1.2.6
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.2.6.

WPify Woo Czech

Installations:
3,000+
Vulnerability:
Reflected Cross-Site Scripting (XSS)
Patched in Version:
3.5.7
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 3.5.7.

Files Download Delay

Installations:
10+
Vulnerability:
Subscriber+ Settings Reset
Patched in Version:
1.0.7
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.0.7.

WooCommerce Green Wallet Gateway

Vulnerability:
Reflected Cross Site Scripting in checkout page
Patched in Version:
1.0.2
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.0.2.

WPQA

Vulnerability:
Unauthenticated Private Message Disclosure; Reflected Cross-Site Scripting
Patched in Version:
5.5
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 5.5.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Donations

Plugin:
Donations
Vulnerability:
Contributor+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Quotes llama

Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Easy FAQ with Expanding Text

Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Fundraising Donation and Crowdfunding Platform

Vulnerability:
Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

LiveSync for WordPress

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Born Babies

Vulnerability:
Contributor+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Five Minute Webshop

Vulnerability:
Admin+ SQLi via orderby
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Discy

Theme:
Discy
Vulnerability:
Restore Default Settings via CSRF; Settings Update via CSRF
Patched in Version:
5.2
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 5.2.

Ask Me

Theme:
Ask me
Vulnerability:
Multiple CSRF in AJAX Actions; Reflected Cross-Site Scripting
Patched in Version:
6.8.2
Severity Score:
High
The vulnerability has been patched, so you should update to version 6.8.2.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: