WordPress Vulnerability Report

WordPress Vulnerability Report – May 25, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of low, medium, high, or critical.

Avatar photo
SolidWP Editorial Team

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Get SolidWP tips direct in your inbox

Sign up

This field is for validation purposes and should be left unchanged.
Placeholder text
Placeholder text
Thanks

Oops something went wrong, please try submitting again

Get started with confidence — risk free, guaranteed

WordPress Core Vulnerabilities

WordPress 6.0 “Arturo” is out! This major version release of WordPress was “built to help you unlock your creative aspirations and make your site-building experience more intuitive,” including almost 1,000 enhancements and bug fixes. See what’s new in WordPress 6.0.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Google Tag Manager for WordPress

Plugin:
GTM4WP
Installations:
600,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
1.15.1
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.15.1.

Newsletter

Installations:
400,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
7.4.5
Severity Score:
Low
The vulnerability has been patched, so you should update to version 7.4.5.

Minimal Coming Soon – Coming Soon Page

Installations:
100,000+
Vulnerability:
Multiple Authenticated Stored XSS
Patched in Version:
2.35
Severity Score:
Low
The vulnerability has been patched, so you should update to version 2.35.

Export any WordPress data to XML/CSV

Installations:
90,000+
Vulnerability:
Admin+ SQL Injection
Patched in Version:
1.3.5
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.3.5.

JupiterX Core

Installations:
90,000+
Vulnerability:
Information Disclosure, Modification, and Denial of Service; Subscriber+ Arbitrary Plugin Deactivation and Settings Update; Subscriber+ Privilege Escalation and Post Deletion
Patched in Version:
2.0.7
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2.0.7.

MailerLite

Installations:
60,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
1.5.4
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.5.4.

Simple Membership

Installations:
50,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
4.1.1
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 4.1.1.

Appointment Hour Booking

Installations:
30,000+
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
1.3.56
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.3.56.

Themify – WooCommerce Product Filter

Installations:
30,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
1.3.8
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 1.3.8.

Like Button Rating

Installations:
7,000+
Vulnerability:
Arbitrary e-mail Sending
Patched in Version:
2.6.45
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2.6.45.

Zephyr Project Manager

Installations:
1,000+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
3.2.41
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 3.2.41.

Popup Box

Installations:
1,000+
Vulnerability:
Admin+ LFI
Patched in Version:
2.2
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2.2.

Keep Backup Daily

Installations:
800+
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
2.0.3
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 2.0.3.

Filr – Secure Document Library

Installations:
600+
Vulnerability:
Subscriber+ AJAX Calls
Patched in Version:
1.2.2.1
Severity Score:
Critical
The vulnerability has been patched, so you should update to version 1.2.2.1.

Google Places Review

Vulnerability:
Admin+ Stored Cross Site Scripting
Patched in Version:
2.0.0
Severity Score:
Low
The vulnerability has been patched, so you should update to version 2.0.0.

Slideshow CK

Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
1.4.10
Severity Score:
Low
The vulnerability has been patched, so you should update to version 1.4.10.

The School Management

Vulnerability:
Unauthenticated RCE via REST api
Patched in Version:
9.9.7
Severity Score:
Critical
The vulnerability has been patched, so you should update to version 9.9.7.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

iQ Block Country

Vulnerability:
Protection Bypass due to IP Spoofing
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Code Snippets Extended

Vulnerability:
Stored Cross-Site Scripting via CSRF; Arbitrary Snippet Deletion/Disabling via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Webriti SMTP Mail

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Change Uploaded File Permissions

Vulnerability:
File Permission Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

New User Email Set Up

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Vulnerability:
Stored Cross-Site Scripting via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

postTabs

Plugin:
postTabs
Vulnerability:
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Private Files

Vulnerability:
Protection Disabling via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Athletics

Vulnerability:
Subscriber+ Stored Cross-Site Scripting; Reflected Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP-chgFontSize

Vulnerability:
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Latest Tweets Widget

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Admin Style

Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Opal Hotel Room Booking

Vulnerability:
Contributor+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Genki Pre-Publish Reminder

Vulnerability:
Stored XSS & RCE via CSRF
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Enqueue Anything

Vulnerability:
Subscriber+ Arbitrary Asset/Post Deletion
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Auto Delete Posts

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

LaTeX for WordPress

Vulnerability:
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

One Click Plugin Updater

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Member Hero

Vulnerability:
Unauthenticated RCE
Patched in Version:
No Fix
Severity Score:
Critical
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Log WP_Mail

Vulnerability:
Email Logs Publicly Accessible
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Sideblog

Vulnerability:
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Bestbooks

Plugin:
Bestbooks
Vulnerability:
Unauthenticated SQLi
Patched in Version:
No Fix
Severity Score:
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Static Page eXtended

Vulnerability:
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Quick Subscribe

Vulnerability:
Arbitrary Settings Update via CSRF to Stored XSS
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Sticky Popup

Vulnerability:
Admin+ Stored Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Email Users

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP SVG Icons

Vulnerability:
Admin+ Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Peter’s Collaboration E-mails

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Useful Banner Manager

Vulnerability:
Modify banners via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

OnePress Social Locker

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Core Control

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

HC Custom WP-Admin URL

Vulnerability:
Arbitrary Settings Update via CSRF
Patched in Version:
No Fix
Severity Score:
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Hot Linked Image Cacher

Vulnerability:
Image upload/cache abuse via CSRF
Patched in Version:
No Fix
Severity Score:
Low
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Jupiter & JupiterX

Theme:
JupiterX
Vulnerability:
Subscriber+ Path Traversal and Local File Inclusion; Subscriber+ Arbitrary Plugin Deletion; Subscriber+ Privilege Escalation and Post Deletion; Subscriber+ Path Traversal and Local File Inclusion; Subscriber+ Arbitrary Plugin Deactivation and Settings Update
Patched in Version:
6.10.2
Severity Score:
High
The vulnerability has been patched, so you should update to version 6.10.2.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Did you like this article? Spread the word: