WordPress Vulnerability Report: November 2021, Part 4

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

In a security disclosure published on November 21, 2021, GoDaddy says that up to 1.2 million active and inactive customers have been exposed after hackers gained access to its managed WordPress hosting platform.

We wrote a post to unpack a few of the details of the recent GoDaddy hack, how it affects customers, and our recommendations for what to do if you’re a WordPress hosting customer at GoDaddy.

The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

1. Pixel Cat Lite

Plugin: Pixel Cat Lite
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.6.3
Severity Score: Low

Plugin: Pixel Cat Lite
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 2.6.2
Severity Score: High

2. All-In-One-Gallery

Plugin: All-In-One-Gallery
Vulnerability: Admin+ Local File Inclusion
Patched in Version: 2.5.0
Severity Score: Low

3. StopBadBots  

Plugin: StopBadBots 
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.67
Severity Score: Critical

4. Temporary Login Without Password

Plugin: Temporary Login Without Password
Vulnerability: Subscriber+ Plugin’s Settings Update
Patched in Version: 1.7.1
Severity Score: Medium

5. ProfilePress

Plugin: ProfilePress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.3
Severity Score: Medium

Plugin: ProfilePress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.3
Severity Score: High

6. Modern Events Calendar

Plugin: Modern Events Calendar
Vulnerability: Unauthenticated Blind SQL Injection
Patched in Version: 6.1.5
Severity Score: High

Plugin: Modern Events Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.1.5
Severity Score: High

7. Auto Featured Image

Plugin: Auto Featured Image
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.9.3
Severity Score: Medium

8. Ultimate NoFollow

Plugin: Ultimate NoFollow 
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Medium

9. NEX-Forms

Plugin: NEX-Forms 
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

10. SEO Booster 

Plugin: SEO Booster  
Vulnerability: Admin+ SQL Injection
Patched in Version: No known fix – plugin closed
Severity Score: Medium

11. WP System Log

Plugin: WP System Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 1.0.21
Severity Score: Critical

12. Inspirational Quote Rotator

Plugin: Inspirational Quote Rotator
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

13. Single Post Exporter

Plugin: Single Post Exporter
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium

14. Flex Local Fonts

Plugin: Flex Local Fonts 
Vulnerability: Admin+ Stored Cross-Site-Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

15. WP Admin Logo Changer

Plugin: WP Admin Logo Changer
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium

16. Contact Form Advanced Database

Plugin: Contact Form Advanced Database 
Vulnerability: Unauthorised AJAX Calls
Patched in Version: No known fix
Severity Score: Medium

17. Shiny Buttons

Plugin: Shiny Buttons
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High

18. Filter Portfolio Gallery

Plugin: Filter Portfolio Gallery
Vulnerability: Arbitrary Gallery Deletion via CSRF
Patched in Version: No known fix
Severity Score: Medium

19. WP Limits

Plugin: WP Limits
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix
Severity Score: Medium

20. Page/Post Content Shortcode

Plugin: Page/Post Content Shortcode
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: No known fix
Severity Score: Medium

21. Improved Include Page

Plugin: Improved Include Page
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: No known fix
Severity Score: Medium

22. Mediamatic

Plugin: Mediamatic
Vulnerability: Subscriber+ SQL Injection
Patched in Version: No known fix
Severity Score: High

23. Display Post Metadata

Plugin: Display Post Metadata
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium

24. ToTop Link

Plugin: ToTop Link
Vulnerability: Unauthenticated PHP Object Injection
Patched in Version: No known fix
Severity Score: Medium

25. User Meta Shortcodes

Plugin: User Meta Shortcodes
Vulnerability: Contributor+ Unauthorized Arbitrary User Metadata Access
Patched in Version: No known fix
Severity Score: High

26. Quotes Collection

Plugin: Quotes Collection
Vulnerability: Admin+ SQL Injection
Patched in Version: No known fix
Severity Score: Medium

27. Push Notifications for WordPress (Lite)

Plugin: Push Notifications for WordPress (Lite) 
Vulnerability: Settings Update via CSRF
Patched in Version: 6.0.1
Severity Score: Medium

28. SportsPress

Plugin: SportsPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.9
Severity Score: High

29. Login/Signup Popup

Plugin: Login/Signup Popup
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.2
Severity Score: High

30. Preview E-mails for WooCommerce

Plugin: Preview E-mails for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.0
Severity Score: Medium

31. WP User Frontend 

Plugin: WP User Frontend  
Vulnerability: Membership, Profile, Registration & Post Submission Plugin for WordPress 
Patched in Version: 3.5.25
Severity Score: Medium

32. Directorist – Business Directory Plugin

Plugin: Directorist – Business Directory Plugin
Vulnerability: CSRF to Remote File Upload
Patched in Version: 7.0.6.2
Severity Score: Critical

33. Easy Registration Forms

Plugin: Easy Registration Forms
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High

34. WP Reset Pro 

Plugin: WP Reset Pro 
Vulnerability: Subscriber+ Database Reset
Patched in Version: 5.99
Severity Score: Critical

Plugin: WP Reset Pro 
Vulnerability: Database Reset via CSRF
Patched in Version: 5.99
Severity Score: Critical

35. WordPress + Microsoft Office 365

Plugin: WordPress + Microsoft Office 365
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 15.4
Severity Score: Critical

36. Duplicate Post

Plugin: Duplicate Post 
Vulnerability: Authenticated SQL Injection
Patched in Version: 1.2.0
Severity Score: Medium

37. Backup Migration

Plugin: Backup Migration
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.1.6
Severity Score: Medium

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Save 40% Off iThemes Security Pro

Michael Moore

Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.