Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – May 25, 2022

Written by iThemes Editorial Team on May 25, 2022

Last Updated on May 25, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the May 25, 2022 Report
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • Google Tag Manager for WordPress
    • Newsletter
    • Minimal Coming Soon – Coming Soon Page
    • Export any WordPress data to XML/CSV
    • JupiterX Core
    • MailerLite
    • Simple Membership
    • Appointment Hour Booking
    • Themify – WooCommerce Product Filter
    • Like Button Rating
    • KiviCare
    • Zephyr Project Manager
    • Popup Box
    • Keep Backup Daily
    • Filr – Secure Document Library
    • Google Places Review
    • Slideshow CK
    • The School Management
  • WordPress Plugin Vulnerabilities – No Known Fix
    • iQ Block Country
    • Code Snippets Extended
    • Webriti SMTP Mail
    • Change Uploaded File Permissions
    • New User Email Set Up
    • RB Internal Links
    • postTabs
    • Private Files
    • WP Athletics
    • WP-CRM
    • Advanced Admin Search
    • WP-chgFontSize
    • Latest Tweets Widget
    • WP Admin Style
    • Opal Hotel Room Booking
    • Genki Pre-Publish Reminder
    • Enqueue Anything
    • Carousel CK
    • Auto Delete Posts
    • LaTeX for WordPress
    • One Click Plugin Updater
    • Member Hero
    • Log WP_Mail
    • Sideblog
    • Bestbooks
    • Static Page eXtended
    • Quick Subscribe
    • Sticky Popup
    • Email Users
    • WP SVG Icons
    • Peter's Collaboration E-mails
    • Useful Banner Manager
    • OnePress Social Locker
    • Core Control
    • HC Custom WP-Admin URL
    • Hot Linked Image Cacher
  • WordPress Theme Vulnerabilities
    • Jupiter & JupiterX
  • Never worry about running a vulnerable plugin or theme again.
  • The Best WordPress Security Plugin to Secure & Protect WordPress Sites
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Core Vulnerabilities

WordPress 6.0 “Arturo” is out! This major version release of WordPress was “built to help you unlock your creative aspirations and make your site-building experience more intuitive,” including almost 1,000 enhancements and bug fixes. See what’s new in WordPress 6.0.

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Google Tag Manager for WordPress

Product image for GTM4WP.
Plugin
GTM4WP
Installations
600,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.15.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.15.1.

Newsletter

Product image for Newsletter – Send awesome emails from WordPress.
Plugin
Newsletter – Send awesome emails from WordPress
Installations
400,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
7.4.5
Severity Score
Low
The vulnerability has been patched, so you should update to version 7.4.5.

Minimal Coming Soon – Coming Soon Page

Product image for Minimal Coming Soon – Coming Soon Page.
Plugin
Minimal Coming Soon – Coming Soon Page
Installations
100,000+
Vulnerability
Multiple Authenticated Stored XSS
Patched in Version
2.35
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.35.

Export any WordPress data to XML/CSV

Product image for Export any WordPress data to XML/CSV.
Plugin
Export any WordPress data to XML/CSV
Installations
90,000+
Vulnerability
Admin+ SQL Injection
Patched in Version
1.3.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.3.5.

JupiterX Core

Plugin
Jupiter X Core
Installations
90,000+
Vulnerability
Information Disclosure, Modification, and Denial of Service; Subscriber+ Arbitrary Plugin Deactivation and Settings Update; Subscriber+ Privilege Escalation and Post Deletion
Patched in Version
2.0.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.0.7.

MailerLite

Product image for MailerLite – Signup forms (official).
Plugin
MailerLite – Signup forms (official)
Installations
60,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.5.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.5.4.

Simple Membership

Product image for Simple Membership.
Plugin
Simple Membership
Installations
50,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
4.1.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.1.1.

Appointment Hour Booking

Product image for Appointment Hour Booking – WordPress Booking Plugin.
Plugin
Appointment Hour Booking – WordPress Booking Plugin
Installations
30,000+
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.3.56
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.3.56.

Themify – WooCommerce Product Filter

Product image for Themify – WooCommerce Product Filter.
Plugin
Themify – WooCommerce Product Filter
Installations
30,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
1.3.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.3.8.

Like Button Rating

Product image for Like Button Rating ? LikeBtn.
Plugin
Like Button Rating ? LikeBtn
Installations
7,000+
Vulnerability
Arbitrary e-mail Sending
Patched in Version
2.6.45
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.6.45.

KiviCare

Product image for KiviCare – Clinic & Patient Management System (EHR).
Plugin
KiviCare – Clinic & Patient Management System (EHR)
Installations
1,000+
Vulnerability
Unauthenticated SQLi
Patched in Version
2.3.9
Severity Score
High
The vulnerability has been patched, so you should update to version 2.3.9.

Zephyr Project Manager

Product image for Zephyr Project Manager.
Plugin
Zephyr Project Manager
Installations
1,000+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
3.2.41
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.2.41.

Popup Box

Product image for Popup Box – new WordPress popup plugin.
Plugin
Popup Box – new WordPress popup plugin
Installations
1,000+
Vulnerability
Admin+ LFI
Patched in Version
2.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.2.

Keep Backup Daily

Product image for Keep Backup Daily.
Plugin
Keep Backup Daily
Installations
800+
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
2.0.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.0.3.

Filr – Secure Document Library

Product image for Filr – Secure document library.
Plugin
Filr – Secure document library
Installations
600+
Vulnerability
Subscriber+ AJAX Calls
Patched in Version
1.2.2.1
Severity Score
Critical
The vulnerability has been patched, so you should update to version 1.2.2.1.

Google Places Review

Plugin
Google Places Reviews
Vulnerability
Admin+ Stored Cross Site Scripting
Patched in Version
2.0.0
Severity Score
Low
The vulnerability has been patched, so you should update to version 2.0.0.

Slideshow CK

Plugin
Slideshow CK
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
1.4.10
Severity Score
Low
The vulnerability has been patched, so you should update to version 1.4.10.

The School Management

Plugin
Vulnerability
Unauthenticated RCE via REST api
Patched in Version
9.9.7
Severity Score
Critical
The vulnerability has been patched, so you should update to version 9.9.7.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

iQ Block Country

Plugin
iQ Block Country
Vulnerability
Protection Bypass due to IP Spoofing
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Code Snippets Extended

Plugin
Code Snippets Extended
Vulnerability
Stored Cross-Site Scripting via CSRF; Arbitrary Snippet Deletion/Disabling via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Webriti SMTP Mail

Plugin
Webriti SMTP Mail
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Change Uploaded File Permissions

Plugin
Change Uploaded File Permissions
Vulnerability
File Permission Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

New User Email Set Up

Plugin
New User Email Set Up
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

RB Internal Links

Plugin
RB Internal Links
Vulnerability
Stored Cross-Site Scripting via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

postTabs

Plugin
postTabs
Vulnerability
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Private Files

Plugin
Private Files
Vulnerability
Protection Disabling via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Athletics

Plugin
WP Athletics
Vulnerability
Subscriber+ Stored Cross-Site Scripting; Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP-CRM

Plugin
WP-CRM – Customer Relations Management for WordPress
Vulnerability
CSV Injection
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Advanced Admin Search

Plugin
Advanced Admin Search
Vulnerability
Reflected Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP-chgFontSize

Plugin
WP-chgFontSize
Vulnerability
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Latest Tweets Widget

Plugin
Latest Tweets Widget
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Admin Style

Plugin
WP Admin Style
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Opal Hotel Room Booking

Plugin
Opal Hotel Room Booking
Vulnerability
Contributor+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Genki Pre-Publish Reminder

Plugin
Genki Pre-Publish Reminder
Vulnerability
Stored XSS & RCE via CSRF
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Enqueue Anything

Plugin
Enqueue Anything
Vulnerability
Subscriber+ Arbitrary Asset/Post Deletion
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Carousel CK

Plugin
Carousel CK
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Auto Delete Posts

Plugin
Auto Delete Posts
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

LaTeX for WordPress

Plugin
LaTeX for WordPress
Vulnerability
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

One Click Plugin Updater

Plugin
One Click Plugin Updater
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Member Hero

Plugin
Member Hero
Vulnerability
Unauthenticated RCE
Patched in Version
No Fix
Severity Score
Critical
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Log WP_Mail

Plugin
Log WP_Mail
Vulnerability
Email Logs Publicly Accessible
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Sideblog

Plugin
Sideblog WordPress Plugin
Vulnerability
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Bestbooks

Plugin
Bestbooks
Vulnerability
Unauthenticated SQLi
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Static Page eXtended

Plugin
Static Page eXtended
Vulnerability
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Quick Subscribe

Plugin
Quick Subscribe
Vulnerability
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Sticky Popup

Plugin
Sticky Popup
Vulnerability
Admin+ Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Email Users

Plugin
Email Users
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP SVG Icons

Plugin
WP SVG Icons
Vulnerability
Admin+ Remote Code Execution (RCE)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Peter’s Collaboration E-mails

Plugin
Peter’s Collaboration E-mails
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Useful Banner Manager

Plugin
Useful Banner Manager
Vulnerability
Modify banners via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

OnePress Social Locker

Plugin
OnePress Social Locker
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Core Control

Plugin
Core Control
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

HC Custom WP-Admin URL

Plugin
HC Custom WP-Admin URL
Vulnerability
Arbitrary Settings Update via CSRF
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Hot Linked Image Cacher

Plugin
Hot Linked Image Cacher
Vulnerability
Image upload/cache abuse via CSRF
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Jupiter & JupiterX

Theme
JupiterX
Vulnerability
Subscriber+ Path Traversal and Local File Inclusion; Subscriber+ Arbitrary Plugin Deletion; Subscriber+ Privilege Escalation and Post Deletion; Subscriber+ Path Traversal and Local File Inclusion; Subscriber+ Arbitrary Plugin Deactivation and Settings Update
Patched in Version
6.10.2
Severity Score
High
The vulnerability has been patched, so you should update to version 6.10.2.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the WPScan Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Get iThemes Security Pro

iThemes Team
iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
Small Business Spearfishing
Small Business Cyberattacks and Spearfishing: Are You at Risk?
wordpress vulnerability report - security
WordPress Vulnerability Report – May 31, 2023
WordPress Vulnerability Report
WordPress Vulnerability Report – May 24, 2023
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – May 17, 2023

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.