Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: November 2021, Part 3

Written by Michael Moore on November 17, 2021

Last Updated on November 19, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

Contents of the November 17, 2021 Report
  • WordPress Core Vulnerabilities
    • 1. WordPress
  • WordPress Plugin Vulnerabilities
    • 1. Registrations for the Events Calendar
    • 2. LoginWP 
    • 3. WooCommerce Currency Switcher
    • 4. Secure Copy Content Protection and Content Locking
    • 5. Bookly 
    • 6. Email Log
    • 7. Tawk.to Live Chat
    • 8. WP Data Access
    • 9. PDF.js Viewer
    • 10. Backup and Restore
    • 11. LearnPress 
    • 12. Get Custom Field Values
    • 13. Booking Package
    • 14. Like Button Rating
    • 15. Caldera Forms
    • 16. Starter Templates
    • 17. Contact Form Email
    • 18. Video Gallery – Vimeo and YouTube Gallery
    • 19. WordPress Popular Posts
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Security Monitoring
Want this report delivered to your inbox each week?
Subscribe to the weekly email

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

1. WordPress

Vulnerability: Expired DST Root CA X3 Certificate
Patched in Version: 5.8.2
Explanation:The wp-includes/certificates/ca-bundle.crt file contains a DST Root CA X3 which expired on September 30th, 2021, raising security warning in some cases.

The vulnerability has been patched, so make sure you are running WordPress 5.8.2.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

1. Registrations for the Events Calendar

Plugin: Registrations for the Events Calendar
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 2.7.6
Severity Score: High

The vulnerability is patched, so you should update to version 2.7.6.

2. LoginWP 

Plugin: LoginWP 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.0.5
Severity Score: High

The vulnerability is patched, so you should update to version 3.0.0.5.

3. WooCommerce Currency Switcher

Plugin: WooCommerce Currency Switcher
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.7.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.7.1.

4. Secure Copy Content Protection and Content Locking

Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Subscriber+ Email Address Disclosure
Patched in Version: 2.8.2
Severity Score: High

The vulnerability is patched, so you should update to version 2.8.2.

5. Bookly 

Plugin: Bookly 
Vulnerability: Staff Member Stored Cross-Site Scripting
Patched in Version: 20.3.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 20.3.1.

6. Email Log

Plugin: Email Log
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.4.8
Severity Score: High

The vulnerability is patched, so you should update to version 2.4.8.

7. Tawk.to Live Chat

Plugin: Tawk.to Live Chat
Vulnerability: Subscriber+ Visitor Monitoring & Chat Removal
Patched in Version: 0.6.0
Severity Score: High

The vulnerability is patched, so you should update to version 0.6.0.

8. WP Data Access

Plugin: WP Data Access
Vulnerability: Admin+ SQL Injection
Patched in Version: 5.0.0
Severity Score: High

The vulnerability is patched, so you should update to version 5.0.0.

9. PDF.js Viewer

Plugin: PDF.js Viewer
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.0.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.0.2.

10. Backup and Restore

Plugin: Backup and Restore
Vulnerability: Admin+ Arbitrary File Deletion
Patched in Version: No known fix
Severity Score: Medium

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

11. LearnPress 

Plugin: LearnPress 
Vulnerability: Admin+ SQL Injection
Patched in Version: 4.1.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.1.4.

12. Get Custom Field Values

Plugin: Get Custom Field Values
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 4.0.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 4.0.1.

13. Booking Package

Plugin: Booking Package
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.11
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.5.11.

14. Like Button Rating

Plugin: Like Button Rating
Vulnerability: Unauthorised Vote Export to Email & IP Addresses Disclosure
Patched in Version: 2.6.38
Severity Score: High

The vulnerability is patched, so you should update to version 2.6.38.

15. Caldera Forms

Plugin: Caldera Forms
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.9.5
Severity Score: Low

The vulnerability is patched, so you should update to version 1.9.5.

16. Starter Templates

Plugin: Starter Templates
Vulnerability: Contributor+ Block Import to Stored XSS
Patched in Version: 2.7.1
Severity Score: High

The vulnerability is patched, so you should update to version 2.7.1.

17. Contact Form Email

Plugin: Contact Form Email
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.3.25
Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.25.

18. Video Gallery – Vimeo and YouTube Gallery

Plugin: Video Gallery – Vimeo and YouTube Gallery 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.1.5
Severity Score: Low

The vulnerability is patched, so you should update to version 1.1.5.

19. WordPress Popular Posts

Plugin: WordPress Popular Posts
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.3.4
Severity Score: Low

The vulnerability is patched, so you should update to version 5.3.4.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Monitor File Changes

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices
  • reCAPTCHA
  • Brute force protection
  • Two-factor authentication
  • Magic login links
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
A security-riddled computer monitor. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – January 25, 2023
WordPress vulnerability report
WordPress Vulnerability Report – January 18, 2023
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – January 11, 2023
WordPress Vulnerability Report
WordPress Vulnerability Report – January 4, 2023

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Visit StellarWP Visit Nexcess
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.