Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: October 2021, Part 3

Written by iThemes Editorial Team on October 20, 2021

Last Updated on October 20, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

Contents of the October 20, 2021 Report
    Want this report delivered to your inbox each week?
    Subscribe to the weekly email

    WordPress Core Vulnerabilities

    The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

    WordPress Plugin Vulnerabilities

    In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

    1. WPSchoolPress

    Plugin: WPSchoolPress
    Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
    Patched in Version: 2.1.17
    Severity Score: Low

    The vulnerability is patched, so you should update to version 2.1.17.

    Plugin: WPSchoolPress
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 2.1.10
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.1.10.

    Plugin: WPSchoolPress
    Vulnerability: Multiple Authenticated SQL Injections
    Patched in Version: 2.1.10
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.1.10.

    2. YITH WooCommerce Multi Vendor

    Plugin: Squaretype MYITH WooCommerce Multi Vendor
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 3.8.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 3.8.1.

    3. Print-O-Matic

    Plugin: Print-O-Matic
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: 2.0.3
    Severity Score: Low

    The vulnerability is patched, so you should update to version 2.0.3.

    4. Pie Register

    Plugin: Pie Register
    Vulnerability: Unauthenticated SQL Injection
    Patched in Version: 3.7.1.6
    Severity Score: High

    The vulnerability is patched, so you should update to version 3.7.1.6.

    Plugin: Pie Register
    Vulnerability: Unauthenticated SQL Injection
    Patched in Version: 3.7.1.6
    Severity Score: Critical

    The vulnerability is patched, so you should update to version 3.7.1.6.

    5. Coupon Affiliates for WooCommerce

    Plugin: Coupon Affiliates for WooCommerce
    Vulnerability: Arbitrary Referral Visits Deletion via CSRF
    Patched in Version: 4.11.3.4
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 4.11.3.4.

    6. MAZ Loader

    Plugin: MAZ Loader
    Vulnerability: Contributor+ SQL Injection
    Patched in Version: 1.3.3
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.3.3.

    7. Storefront Footer Text

    Plugin: Storefront Footer Text
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: Medium

    This vulnerability has NOT been patched. This plugin has been closed as of October 6, 2021. Uninstall and delete.

    8. Quiz Tool Lite

    Plugin: Quiz Tool Lite
    Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of September 28, 2021. Uninstall and delete.

    9. Qwizcards

    Plugin: Qwizcards
    Vulnerability: Admin+ Stored Cross Site Scripting
    Patched in Version: 3.62
    Severity Score: Low

    The vulnerability is patched, so you should update to version 3.62.

    10. Loco Translate 

    Plugin: Loco Translate  
    Vulnerability:  Authenticated PHP Code Injection
    Patched in Version: 2.5.4
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.5.4.

    11. iPanorama 360 WordPress Virtual Tour Builder

    Plugin: iPanorama 360 WordPress Virtual Tour Builder
    Vulnerability: CSRF to Stored Cross-Site Scripting
    Patched in Version: 1.6.22
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.6.22.

    12. Vision Interactive For WordPress

    Plugin: Vision Interactive For WordPress
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: no known fix
    Severity Score: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    13. ImageLinks Interactive Image Builder for WordPress

    Plugin: ImageLinks Interactive Image Builder for WordPress
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: no known fix
    Severity Score: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    14. WordPress Easy Custom Js And Css Plugin

    Plugin: WordPress Easy Custom Js And Css Plugin
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: no known fix
    Severity Score: High

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    15. iPages Flipbook For WordPress

    Plugin: iPages Flipbook For WordPress
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.4.3
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.4.3.

    16. 404 to 301

    Plugin: 404 to 301
    Vulnerability: Logs Deletion via CSRF
    Patched in Version: 3.0.9
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 3.0.9.

    17. Post Expirator

    Plugin: Post Expirator
    Vulnerability: Contributor+ Arbitrary Post Schedule
    Patched in Version: 2.6.0
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.6.22.

    18. WP Header Images

    Plugin: WP Header Images
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 2.0.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.0.1.

    19. Subscriptions & Memberships for PayPal

    Plugin: Subscriptions & Memberships for PayPal
    Vulnerability: Reflected Cross-Site Scripting via page Parameter
    Patched in Version: No known fix – plugin closed
    Severity Score: High

    This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.

    20. Accept Donations with PayPal

    Plugin: Accept Donations with PayPal
    Vulnerability: Reflected Cross-Site Scripting via page Parameter
    Patched in Version: 1.3.1
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.3.1.

    21. PayPal Events 

    Plugin: PayPal Events 
    Vulnerability: Reflected Cross-Site Scripting via page Parameter
    Patched in Version: No known fix – plugin closed
    Severity Score: High

    This vulnerability has NOT been patched. This plugin has been closed as of September 30, 2021. Uninstall and delete.

    22. Header Footer Code Manager

    Plugin: Header Footer Code Manager
    Vulnerability: Admin+ SQL Injections
    Patched in Version: 1.1.14
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 1.1.14.

    23. wpDiscuz 

    Plugin: wpDiscuz 
    Vulnerability: Arbitrary Comment Addition/Edition/Deletion via CSRF
    Patched in Version: 7.3.4
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 7.3.4.

    24. 3D Print Lite

    Plugin: 3D Print Lite
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.9.1.6
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.9.1.6.

    25. Asgaros Forum

    Plugin: Asgaros Forum
    Vulnerability: Redirect Deletion via CSRF
    Patched in Version: 1.15.13
    Severity Score: High

    The vulnerability is patched, so you should update to version 1.15.13.

    26. WP SEO Redirect 301

    Plugin: WP SEO Redirect 301
    Vulnerability: Redirect Deletion via CSRF
    Patched in Version: 2.3.2
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.3.2.

    27. WCFM – Frontend Manager for WooCommerce

    Plugin: WCFM – Frontend Manager for WooCommerce
    Vulnerability: Customer/Subscriber+ SQL Injection
    Patched in Version: 6.5.12
    Severity Score: High

    The vulnerability is patched, so you should update to version 6.5.12.

    28. Affiliate Manager

    Plugin: Affiliate Manager
    Vulnerability: Admin+ SQL Injections
    Patched in Version: 2.8.7
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.8.7.

    29. Similar Posts

    Plugin: Similar Posts
    Vulnerability: Admin+ Arbitrary PHP Code Execution
    Patched in Version: 3.1.6
    Severity Score: High

    The vulnerability is patched, so you should update to version 3.1.6.

    30. WooCommerce Products Table

    Plugin: WooCommerce Products Table
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 1.0.4
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 1.0.4.

    31. Discounts Manager for Products

    Plugin: Discounts Manager for Products
    Vulnerability: Reflected Cross-Site Scripting
    Patched in Version: 3.4.5
    Severity Score: High

    The vulnerability is patched, so you should update to version 3.4.5.

    32. Testimonial Builder

    Plugin: Testimonial Builder
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: 1.6.0
    Severity Score: Low

    The vulnerability is patched, so you should update to version 1.6.0.

    33. Brizy

    Plugin: Brizy
    Vulnerability: Incorrect Authorization to Post Modification
    Patched in Version: 2.3.12
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.3.12.

    Plugin: Brizy
    Vulnerability: Authenticated Stored Cross-Site Scripting
    Patched in Version: 2.3.12
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.3.12.

    Plugin: Brizy
    Vulnerability: Authenticated File Upload and Path Traversal
    Patched in Version: 2.3.12
    Severity Score: High

    The vulnerability is patched, so you should update to version 2.3.12.

    34. Colorful Categories

    Plugin: Colorful Categories
    Vulnerability: Arbitrary Colors Update via CSRF
    Patched in Version: 2.0.15
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 2.0.15.

    35. WP Fastest Cache

    Plugin: WP Fastest Cache
    Vulnerability: Subscriber+ SQL Injection
    Patched in Version: 0.9.5
    Severity Score: High

    The vulnerability is patched, so you should update to version 0.9.5.

    Plugin: WP Fastest Cache
    Vulnerability: CSRF to Stored Cross-Site Scripting
    Patched in Version: 0.9.5
    Severity Score: High

    The vulnerability is patched, so you should update to version 0.9.5.

    36. Business Manager

    Plugin: Business Manager
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix
    Severity Score: Low

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    37. Job Board Vanila

    Plugin: Job Board Vanila
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

    38. WpGenius Job Listing 

    Plugin: WpGenius Job Listing 
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

    39. Job Manager

    Plugin: Job Manager
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

    40. Job Portal

    Plugin: Job Portal
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

    41. MyBB Cross-Poster

    Plugin: MyBB Cross-Poster
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

    42. KJM Admin Notices

    Plugin: KJM Admin Notices
    Vulnerability: Incorrect Authorization to Post Modification
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of October 13, 2021. Uninstall and delete.

    43. HAL

    Plugin: HAL
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: 2.2
    Severity Score: Low

    The vulnerability is patched, so you should update to version 2.2.

    44. Author Bio Box

    Plugin: Author Bio Box
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: 3.4.0
    Severity Score: Low

    The vulnerability is patched, so you should update to version 3.4.0.

    45. WordPress + Microsoft Office 365

    Plugin: WordPress + Microsoft Office 365
    Vulnerability: Unauthenticated Stored Cross-Site Scripting
    Patched in Version: 15.4
    Severity Score: Critical

    The vulnerability is patched, so you should update to version 15.4.

    46. YOP Poll 

    Plugin: YOP Poll 
    Vulnerability: Author+ Stored Cross-Site Scripting via Options Module
    Patched in Version: 6.3.1
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 6.3.1.

    Plugin: YOP Poll 
    Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module
    Patched in Version: 6.3.1
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 6.3.1.

    47. Indeed Job Importer

    Plugin: Indeed Job Importer
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix – plugin closed
    Severity Score: High

    This vulnerability has NOT been patched. This plugin has been closed as of October 14, 2021. Uninstall and delete.

    48. MPL-Publisher – Self-publish your book & ebook

    Plugin: MPL-Publisher – Self-publish your book & ebook
    Vulnerability: Admin+ Stored Cross-Site Scripting
    Patched in Version: No known fix
    Severity Score: Low

    This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

    49. JobBoardWP

    Plugin: JobBoardWP
    Vulnerability: Incorrect Authorization to Post Modification
    Patched in Version: No known fix – plugin closed
    Severity Score: Low

    This vulnerability has NOT been patched. This plugin has been closed as of October 14, 2021. Uninstall and delete.

    WordPress Theme Vulnerabilities

    1. Squaretype Modern Blog

    Theme: Squaretype Modern Blog
    Vulnerability: Unauthenticated Private/Schedule Posts Disclosure
    Patched in Version: 3.0.4
    Severity Score: Medium

    The vulnerability is patched, so you should update to version 3.0.4.

    How to Protect Your WordPress Website From Vulnerable Plugins and Themes

    As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.

    1. Scan Daily for Known Website Vulnerabilites

    The iThemes Security Pro plugin scans for the #1 reason WordPress sites get hacked: outdated plugins and themes with known vulnerabilities.

    2. Auto-Update to Safe Versions

    The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

    3. Monitor File Changes

    The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

    Get iThemes Security Pro with 24/7 Website Monitoring

    iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

    • Site scanner for plugin and theme vulnerabilities
    • File change detection
    • Real-time website security dashboard
    • WordPress security logs
    • Trusted devices
    • reCAPTCHA
    • Brute force protection
    • Two-factor authentication
    • Magic login links
    • Privilege escalation
    • Compromised passwords check & refusal

    Get iThemes Security Pro

    iThemes Team
    iThemes Editorial Team

    Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

    Share via:

    • Facebook
    • Twitter
    • LinkedIn
    • More
    Other related posts
    A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
    WordPress Vulnerability Report – February 22, 2023
    wordpress vulnerability report - security
    WordPress Vulnerability Report – February 15, 2023
    WordPress Vulnerability Report
    WordPress Vulnerability Report – February 8, 2023
    wordpress-vulnerability-report
    WordPress Vulnerability Report – February 1, 2023

    Get updates on new themes & plugins plus special discounts

    About iThemes

    • Contact Us
    • Website Accessibility Statement
    • Sitemap

    Resources

    • Blog
    • Documentation
    • WordPress Tutorials
    • Free WordPress Ebooks
    • Free Webinar Library
    • Free Upcoming Webinars
    • iThemes Training
    • Affiliates

    Customers

    • Member Panel Login
    • Support
    • FAQs
    • Upgrade Policy
    • Licensing
    • Terms and Conditions
    • Refund Policy

    Top Products

    • BackupBuddy
    • iThemes Security Pro
    • iThemes Sync
    • Restrict Content Pro
    • WPComplete
    • WordPress Plugins
    • Content Upgrades
    • WordPress Landing Page Plugin
    • BackupBuddy Stash

    iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

    A Liquid Web Brand © 2022 All Rights Reserved.

    Share via
    Facebook
    Twitter
    LinkedIn
    Mix
    Email
    Print
    Copy Link
    Powered by Social Snap
    Copy link
    CopyCopied
    Powered by Social Snap

    Get the Weekly WordPress Vulnerability Report

    Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
    No spam. Unsubscribe anytime.