Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.1. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. Contest Gallery
Plugin: Contest Gallery
Vulnerability: Subscriber+ Email Address Disclosure
Patched in Version: 13.1.0.7
Severity Score: Medium
Plugin: Contest Gallery
Vulnerability: Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure
Patched in Version: 13.1.0.6
Severity Score: High
2. Check & Log Email
Plugin: Check & Log Email
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.4
Severity Score: High
3. BSK PDF Manager
Plugin: BSK PDF Manager
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.1.2
Severity Score: Medium
4. Stylish Cost Calculator
Plugin: Stylish Cost Calculator
Vulnerability: Subscriber+ Unauthorised AJAX Calls to Stored XSS
Patched in Version: 7.0.4
Severity Score: High
5. Shop Page WP
Plugin: Shop Page WP
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.2.8
Severity Score: Medium
6. Ibtana – Ecommerce Product Addons
Plugin: Ibtana – Ecommerce Product Addons
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 0.2.4
Severity Score: High
7. WP RSS Aggregator
Plugin: WP RSS Aggregator
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.19.2
Severity Score: Low
8. GenerateBlocks
Plugin: GenerateBlocks
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.4.0
Severity Score: Medium
9. Email Before Download
Plugin: Email Before Download
Vulnerability: Admin+ SQL Injection
Patched in Version: 6.8
Severity Score: Medium
10. myCred
Plugin: myCred
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 2.3
Severity Score: High
11. Google Maps Easy
Plugin: Google Maps Easy
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.10.1
Severity Score: Low
12. My Calendar
Plugin: My Calendar
Vulnerability: Subscriber+ Reflected Cross-Site Scripting
Patched in Version: 3.2.18
Severity Score: Medium
13. ARForms Form Builder
Plugin: ARForms Form Builder
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.5
Severity Score: Low
14. WP DSGVO Tools
Plugin: WP DSGVO Tools
Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched in Version: 3.1.24
Severity Score: High
15. WP All Import
Plugin: WP All Import
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.6.3
Severity Score: Low
16. WPS Hide Login
Plugin: WPS Hide Login
Vulnerability: Protection Bypass with Referer-Header
Patched in Version: 1.9.1
Severity Score: Medium
17. WP Google Fonts
Plugin: WP Google Fonts
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.1.5
Severity Score: Medium
18. Event Manager for WooCommerce
Plugin: Event Manager for WooCommerce
Vulnerability: Unauthenticated Arbitrary Elementor Template Import
Patched in Version: 3.5.3
Severity Score: Medium
Plugin: Event Manager for WooCommerce
Vulnerability: Unauthenticated Arbitrary Options Reset
Patched in Version: 3.5.3
Severity Score: High
19. AutomatorWP
Plugin: AutomatorWP
Vulnerability: Missing Authorization and Privilege Escalation
Patched in Version: 1.7.6
Severity Score: Medium
20. Logo Slider and Showcase
Plugin: Logo Slider and Showcase
Vulnerability: Editor Plugin’s Settings Update
Patched in Version: 1.3.37
Severity Score: Low
21. Stylish Price List
Plugin: Stylish Price List
Vulnerability: Unauthenticated Arbitrary Image Upload
Patched in Version: 6.9.0
Severity Score: Medium
Plugin: Stylish Price List
Vulnerability: Subscriber+ Arbitrary Image Upload
Patched in Version: 6.9.1
Severity Score: Medium
22. WP Debugging
Plugin: WP Debugging
Vulnerability: Unauthenticated Plugin’s Settings Update
Patched in Version: 2.11.0
Severity Score: Medium
23. Hotel Listing
Plugin: Hotel Listing
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 1.3.3
Severity Score: Medium
24. Email Tracker
Plugin: Email Tracker
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 5.2.6
Severity Score: High
25. Contact Form by Supsystic
Plugin: Contact Form by Supsystic
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.7.20
Severity Score: Low
26. Restaurant Menu by MotoPress
Plugin: Restaurant Menu by MotoPress
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 2.4.2
Severity Score: Low
27. SEO Redirection
Plugin: SEO Redirection
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 8.2
Severity Score: Medium
28. Tutor LMS
Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.11
Severity Score: Medium
29. Ninja Forms
Plugin: Ninja Forms
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.6.4
Severity Score: Medium
30. Registrations for The Events Calendar
Plugin: Registrations for The Events Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.5
Severity Score: High
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.
