Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Maintenance
  • WordPress Security
  • WordPress Training Webinars
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: November 2021, Part 4

Written by Michael Moore on November 24, 2021

Last Updated on November 24, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

Contents of the November 24, 2021 Report
  • WordPress Hosting: GoDaddy Hacked
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • 1. Pixel Cat Lite
    • 2. All-In-One-Gallery
    • 3. StopBadBots  
    • 4. Temporary Login Without Password
    • 5. ProfilePress
    • 6. Modern Events Calendar
    • 7. Auto Featured Image
    • 8. Ultimate NoFollow
    • 9. NEX-Forms
    • 10. SEO Booster 
    • 11. WP System Log
    • 12. Inspirational Quote Rotator
    • 13. Single Post Exporter
    • 14. Flex Local Fonts
    • 15. WP Admin Logo Changer
    • 16. Contact Form Advanced Database
    • 17. Shiny Buttons
    • 18. Filter Portfolio Gallery
    • 19. WP Limits
    • 20. Page/Post Content Shortcode
    • 21. Improved Include Page
    • 22. Mediamatic
    • 23. Display Post Metadata
    • 24. ToTop Link
    • 25. User Meta Shortcodes
    • 26. Quotes Collection
    • 27. Push Notifications for WordPress (Lite)
    • 28. SportsPress
    • 29. Login/Signup Popup
    • 30. Preview E-mails for WooCommerce
    • 31. WP User Frontend 
    • 32. Directorist – Business Directory Plugin
    • 33. Easy Registration Forms
    • 34. WP Reset Pro 
    • 35. WordPress + Microsoft Office 365
    • 36. Duplicate Post
    • 37. Backup Migration
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Security Monitoring
Want this report delivered to your inbox each week?
Subscribe to the weekly email

WordPress Hosting: GoDaddy Hacked

In a security disclosure published on November 21, 2021, GoDaddy says that up to 1.2 million active and inactive customers have been exposed after hackers gained access to its managed WordPress hosting platform.

We wrote a post to unpack a few of the details of the recent GoDaddy hack, how it affects customers, and our recommendations for what to do if you’re a WordPress hosting customer at GoDaddy.

Read the post

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

1. Pixel Cat Lite

Plugin: Pixel Cat Lite
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.6.3
Severity Score: Low

The vulnerability is patched, so you should update to version 2.6.3.

Plugin: Pixel Cat Lite
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 2.6.2
Severity Score: High

The vulnerability is patched, so you should update to version 2.6.2.

2. All-In-One-Gallery

Plugin: All-In-One-Gallery
Vulnerability: Admin+ Local File Inclusion
Patched in Version: 2.5.0
Severity Score: Low

The vulnerability is patched, so you should update to version 2.5.0.

3. StopBadBots  

Plugin: StopBadBots 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.67
Severity Score: Critical

The vulnerability is patched, so you should update to version 6.67.

4. Temporary Login Without Password

Plugin: Temporary Login Without Password
Vulnerability: Subscriber+ Plugin’s Settings Update
Patched in Version: 1.7.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.7.1.

5. ProfilePress

Plugin: ProfilePress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.3
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.2.3.

Plugin: ProfilePress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.3
Severity Score: High

The vulnerability is patched, so you should update to version 3.2.3.

6. Modern Events Calendar

Plugin: Modern Events Calendar
Vulnerability: Unauthenticated Blind SQL Injection
Patched in Version: 6.1.5
Severity Score: High

The vulnerability is patched, so you should update to version 6.1.5.

Plugin: Modern Events Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.1.5
Severity Score: High

The vulnerability is patched, so you should update to version 6.1.5.

7. Auto Featured Image

Plugin: Auto Featured Image
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.9.3
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.9.3.

8. Ultimate NoFollow

Plugin: Ultimate NoFollow 
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of September 28, 2021. Uninstall and delete.

9. NEX-Forms

Plugin: NEX-Forms 
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 4, 2021. Uninstall and delete.

10. SEO Booster 

Plugin: SEO Booster  
Vulnerability: Admin+ SQL Injection
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of October 5, 2021. Uninstall and delete.

11. WP System Log

Plugin: WP System Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 1.0.21
Severity Score: Critical

The vulnerability is patched, so you should update to version 1.0.21.

12. Inspirational Quote Rotator

Plugin: Inspirational Quote Rotator
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

13. Single Post Exporter

Plugin: Single Post Exporter
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

14. Flex Local Fonts

Plugin: Flex Local Fonts 
Vulnerability: Admin+ Stored Cross-Site-Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of September 23, 2021. Uninstall and delete.

15. WP Admin Logo Changer

Plugin: WP Admin Logo Changer
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium

This vulnerability has NOT been patched. This plugin has been closed as of October 4, 2021. Uninstall and delete.

16. Contact Form Advanced Database

Plugin: Contact Form Advanced Database 
Vulnerability: Unauthorised AJAX Calls
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of September 27, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

17. Shiny Buttons

Plugin: Shiny Buttons
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High

This plugin has been closed as of September 27, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

18. Filter Portfolio Gallery

Plugin: Filter Portfolio Gallery
Vulnerability: Arbitrary Gallery Deletion via CSRF
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of September 27, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

19. WP Limits

Plugin: WP Limits
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of October 4, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

20. Page/Post Content Shortcode

Plugin: Page/Post Content Shortcode
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of October 4, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

21. Improved Include Page

Plugin: Improved Include Page
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of October 8, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

22. Mediamatic

Plugin: Mediamatic
Vulnerability: Subscriber+ SQL Injection
Patched in Version: No known fix
Severity Score: High

This plugin has been closed as of October 11, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

23. Display Post Metadata

Plugin: Display Post Metadata
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of October 21, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

24. ToTop Link

Plugin: ToTop Link
Vulnerability: Unauthenticated PHP Object Injection
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of October 21, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

25. User Meta Shortcodes

Plugin: User Meta Shortcodes
Vulnerability: Contributor+ Unauthorized Arbitrary User Metadata Access
Patched in Version: No known fix
Severity Score: High

This plugin has been closed as of October 12, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

26. Quotes Collection

Plugin: Quotes Collection
Vulnerability: Admin+ SQL Injection
Patched in Version: No known fix
Severity Score: Medium

This plugin has been closed as of October 13, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

27. Push Notifications for WordPress (Lite)

Plugin: Push Notifications for WordPress (Lite) 
Vulnerability: Settings Update via CSRF
Patched in Version: 6.0.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.0.1.

28. SportsPress

Plugin: SportsPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.9
Severity Score: High

The vulnerability is patched, so you should update to version 2.7.9.

29. Login/Signup Popup

Plugin: Login/Signup Popup
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.2
Severity Score: High

The vulnerability is patched, so you should update to version 2.2.

30. Preview E-mails for WooCommerce

Plugin: Preview E-mails for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.0.0.5.

31. WP User Frontend 

Plugin: WP User Frontend  
Vulnerability: Membership, Profile, Registration & Post Submission Plugin for WordPress 
Patched in Version: 3.5.25
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.5.25.

32. Directorist – Business Directory Plugin

Plugin: Directorist – Business Directory Plugin
Vulnerability: CSRF to Remote File Upload
Patched in Version: 7.0.6.2
Severity Score: Critical

The vulnerability is patched, so you should update to version 7.0.6.2.

33. Easy Registration Forms

Plugin: Easy Registration Forms
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High

This plugin has been closed as of November 12, 2021 and is not available for download. This closure is temporary, pending a full review. We recommend you uninstall and delete until a fix is found.

34. WP Reset Pro 

Plugin: WP Reset Pro 
Vulnerability: Subscriber+ Database Reset
Patched in Version: 5.99
Severity Score: Critical

The vulnerability is patched, so you should update to version 5.99.

Plugin: WP Reset Pro 
Vulnerability: Database Reset via CSRF
Patched in Version: 5.99
Severity Score: Critical

The vulnerability is patched, so you should update to version 5.99.

35. WordPress + Microsoft Office 365

Plugin: WordPress + Microsoft Office 365
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 15.4
Severity Score: Critical

The vulnerability is patched, so you should update to version 15.4.

36. Duplicate Post

Plugin: Duplicate Post 
Vulnerability: Authenticated SQL Injection
Patched in Version: 1.2.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.0.

37. Backup Migration

Plugin: Backup Migration
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.1.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.1.6.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

1. Install the iThemes Security Pro Plugin

The iThemes Security Pro plugin hardens your WordPress site against the most common ways that websites get hacked. With 30+ ways to secure your site in one easy to use plugin.

2. Enable the Site Scan to Check for Known Vulnerabilities

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Monitor File Changes

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices
  • reCAPTCHA
  • Brute force protection
  • Two-factor authentication
  • Magic login links
  • Privilege escalation
  • Compromised passwords check & refusal

Save 40% Off iThemes Security Pro

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
wordpress vulnerability report
WordPress Vulnerability Report – May 18, 2022
wordpress-vulnerability-report
WordPress Vulnerability Report – May 11, 2022

WordPress Vulnerability Report – May 4, 2022
wordpress vulnerability report - security
WordPress Vulnerability Report – April 27, 2022

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.