WordPress Vulnerability Report: November 2021, Part 1
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of Low, Medium, High, or Critical.
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
Get SolidWP tips direct in your inbox
Sign up
Get started with confidence — risk free, guaranteed
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.1. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. Reviews Plus
Plugin: Reviews Plus
Vulnerability: Subscriber+ Reviews DoS
Patched in Version: 1.2.14
Severity Score: Low
2. Slideshow Gallery
Plugin: Slideshow Gallery
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.7.4
Severity Score: Low
3. MainWP Child
Plugin: MainWP Child
Vulnerability: Admin+ SQL Injection
Patched in Version: 4.1.8
Severity Score: Medium
4. eCommerce Product Catalog for WordPress
Plugin: eCommerce Product Catalog for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.39
Severity Score: High
5. Falang multilanguage for WordPress
Plugin: Falang multilanguage for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.18
Severity Score: High
6. Video Lessons Manager
Plugin: Video Lessons Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.7.2
Severity Score: Low
7. WP Spell Check
Plugin: WP Spell Check
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 9.3
Severity Score: High
8. Ecommerce – Two Factor Authentication
Plugin: Ecommerce – Two Factor Authentication
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.5
Severity Score: High
9. MAZ Loader
Plugin: MAZ Loader
Vulnerability: Arbitrary Loader Deletion via CSRF
Patched in Version: No known fix
Severity Score: High
10. Age Gate
Plugin: Age Gate
Vulnerability: Unauthenticated Import Settings
Patched in Version: 2.17.1
Severity Score: Critical
11. Duplicate Post
Plugin: Duplicate Post
Vulnerability: Authenticated SQL Injection
Patched in Version: 1.2.0
Severity Score: Medium
12. Notification
Plugin: Notification
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 8.0.0
Severity Score: Low
13. Connections Business Directory
Plugin: Connections Business Directory
Vulnerability: Admin+ CSV Injection
Patched in Version: 9.7
Severity Score: Medium
14. Media-Tags
Plugin: Media-Tags
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
15. About Author Box
Plugin: About Author Box
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.0.2
Severity Score: Medium
16. Subscriptions & Memberships for PayPal
Plugin: Subscriptions & Memberships for PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.1.3
Severity Score: High
17. Accept Donations with PayPal
Plugin: Accept Donations with PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.3.1
Severity Score: High
18. Easy PayPal Events
Plugin: Easy PayPal Events
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.1.2
Severity Score: High
19. Popup Anything
Plugin: Popup Anything
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.0.4
Severity Score: High
20. JS Job Manager
Plugin: JS Job Manager
Vulnerability: Unauthenticated Arbitrary Plugin Installation/Activation
Patched in Version: 1.1.9
Severity Score: Critical
21. Bulk Datetime Change
Plugin: Bulk Datetime Change
Vulnerability: Missing Authorisation
Patched in Version: 1.12
Severity Score: Medium
22. Ninja Forms
Plugin: Ninja Forms
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.6.4
Severity Score: Medium
23. WP Attachment Export
Plugin: WP Attachment Export
Vulnerability: Unauthenticated Posts Download
Patched in Version: 0.2.4
Severity Score: High
24. Content text slider on post
Plugin: Content text slider on post
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 6.9
Severity Score: Medium
25. HashThemes Demo Importer
Plugin: HashThemes Demo Importer
Vulnerability: Improper Access Control to Blog Reset
Patched in Version: 1.1.2
Severity Score: Critical
26. Registrations for The Events Calendar
Plugin: Registrations for The Events Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.5
Severity Score: High
27. Mang Board WP
Plugin: Mang Board WP
Vulnerability: SQL Injection
Patched in Version: 1.6.9
Severity Score: High
28. OptinMonster
Plugin: OptinMonster
Vulnerability: Unprotected REST-API Endpoints
Patched in Version: 2.6.5
Severity Score: High
29. NextScripts: Social Networks Auto-Poster
Plugin: NextScripts: Social Networks Auto-Poster
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.3.21
Severity Score: High
30. Smash Balloon Social Post Feed
Plugin: Smash Balloon Social Post Feed
Vulnerability: Subscriber+ Arbitrary Plugin Settings Update to Stored XSS
Patched in Version: 4.0.1
Severity Score: High
31. WP-Pro-Quiz
Plugin: WP-Pro-Quiz
Vulnerability: Arbitrary Quiz Deletion via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium
32. Contact Form by Supsystic
Plugin: Contact Form by Supsystic
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: no known fix
Severity Score: Low
33. WP-Stats
Plugin: WP-Stats
Vulnerability: CSRF to Stored Cross-Site Scripting (XSS)
Patched in Version: 2.52
Severity Score: High
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed