Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. WPSchoolPress
Plugin: WPSchoolPress
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: 2.1.17
Severity Score: Low
Plugin: WPSchoolPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.1.10
Severity Score: High
Plugin: WPSchoolPress
Vulnerability: Multiple Authenticated SQL Injections
Patched in Version: 2.1.10
Severity Score: High
2. YITH WooCommerce Multi Vendor
Plugin: Squaretype MYITH WooCommerce Multi Vendor
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.8.1
Severity Score: High
3. Print-O-Matic
Plugin: Print-O-Matic
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.0.3
Severity Score: Low
4. Pie Register
Plugin: Pie Register
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 3.7.1.6
Severity Score: High
Plugin: Pie Register
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 3.7.1.6
Severity Score: Critical
5. Coupon Affiliates for WooCommerce
Plugin: Coupon Affiliates for WooCommerce
Vulnerability: Arbitrary Referral Visits Deletion via CSRF
Patched in Version: 4.11.3.4
Severity Score: Medium
6. MAZ Loader
Plugin: MAZ Loader
Vulnerability: Contributor+ SQL Injection
Patched in Version: 1.3.3
Severity Score: High
7. Storefront Footer Text
Plugin: Storefront Footer Text
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Medium
8. Quiz Tool Lite
Plugin: Quiz Tool Lite
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
9. Qwizcards
Plugin: Qwizcards
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 3.62
Severity Score: Low
10. Loco Translate
Plugin: Loco Translate
Vulnerability: Authenticated PHP Code Injection
Patched in Version: 2.5.4
Severity Score: High
11. iPanorama 360 WordPress Virtual Tour Builder
Plugin: iPanorama 360 WordPress Virtual Tour Builder
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 1.6.22
Severity Score: High
12. Vision Interactive For WordPress
Plugin: Vision Interactive For WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix
Severity Score: High
13. ImageLinks Interactive Image Builder for WordPress
Plugin: ImageLinks Interactive Image Builder for WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix
Severity Score: High
14. WordPress Easy Custom Js And Css Plugin
Plugin: WordPress Easy Custom Js And Css Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: no known fix
Severity Score: High
15. iPages Flipbook For WordPress
Plugin: iPages Flipbook For WordPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.4.3
Severity Score: High
16. 404 to 301
Plugin: 404 to 301
Vulnerability: Logs Deletion via CSRF
Patched in Version: 3.0.9
Severity Score: Medium
17. Post Expirator
Plugin: Post Expirator
Vulnerability: Contributor+ Arbitrary Post Schedule
Patched in Version: 2.6.0
Severity Score: High
18. WP Header Images
Plugin: WP Header Images
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.1
Severity Score: High
19. Subscriptions & Memberships for PayPal
Plugin: Subscriptions & Memberships for PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: No known fix – plugin closed
Severity Score: High
20. Accept Donations with PayPal
Plugin: Accept Donations with PayPal
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: 1.3.1
Severity Score: High
21. PayPal Events
Plugin: PayPal Events
Vulnerability: Reflected Cross-Site Scripting via page Parameter
Patched in Version: No known fix – plugin closed
Severity Score: High
22. Header Footer Code Manager
Plugin: Header Footer Code Manager
Vulnerability: Admin+ SQL Injections
Patched in Version: 1.1.14
Severity Score: Medium
23. wpDiscuz
Plugin: wpDiscuz
Vulnerability: Arbitrary Comment Addition/Edition/Deletion via CSRF
Patched in Version: 7.3.4
Severity Score: Medium
24. 3D Print Lite
Plugin: 3D Print Lite
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.1.6
Severity Score: High
25. Asgaros Forum
Plugin: Asgaros Forum
Vulnerability: Redirect Deletion via CSRF
Patched in Version: 1.15.13
Severity Score: High
26. WP SEO Redirect 301
Plugin: WP SEO Redirect 301
Vulnerability: Redirect Deletion via CSRF
Patched in Version: 2.3.2
Severity Score: Medium
27. WCFM – Frontend Manager for WooCommerce
Plugin: WCFM – Frontend Manager for WooCommerce
Vulnerability: Customer/Subscriber+ SQL Injection
Patched in Version: 6.5.12
Severity Score: High
28. Affiliate Manager
Plugin: Affiliate Manager
Vulnerability: Admin+ SQL Injections
Patched in Version: 2.8.7
Severity Score: Medium
29. Similar Posts
Plugin: Similar Posts
Vulnerability: Admin+ Arbitrary PHP Code Execution
Patched in Version: 3.1.6
Severity Score: High
30. WooCommerce Products Table
Plugin: WooCommerce Products Table
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.4
Severity Score: Medium
31. Discounts Manager for Products
Plugin: Discounts Manager for Products
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.4.5
Severity Score: High
32. Testimonial Builder
Plugin: Testimonial Builder
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.6.0
Severity Score: Low
33. Brizy
Plugin: Brizy
Vulnerability: Incorrect Authorization to Post Modification
Patched in Version: 2.3.12
Severity Score: High
Plugin: Brizy
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 2.3.12
Severity Score: Medium
Plugin: Brizy
Vulnerability: Authenticated File Upload and Path Traversal
Patched in Version: 2.3.12
Severity Score: High
34. Colorful Categories
Plugin: Colorful Categories
Vulnerability: Arbitrary Colors Update via CSRF
Patched in Version: 2.0.15
Severity Score: Medium
35. WP Fastest Cache
Plugin: WP Fastest Cache
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 0.9.5
Severity Score: High
Plugin: WP Fastest Cache
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 0.9.5
Severity Score: High
36. Business Manager
Plugin: Business Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low
37. Job Board Vanila
Plugin: Job Board Vanila
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
38. WpGenius Job Listing
Plugin: WpGenius Job Listing
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
39. Job Manager
Plugin: Job Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
40. Job Portal
Plugin: Job Portal
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
41. MyBB Cross-Poster
Plugin: MyBB Cross-Poster
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
42. KJM Admin Notices
Plugin: KJM Admin Notices
Vulnerability: Incorrect Authorization to Post Modification
Patched in Version: No known fix – plugin closed
Severity Score: Low
43. HAL
Plugin: HAL
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.2
Severity Score: Low
44. Author Bio Box
Plugin: Author Bio Box
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.4.0
Severity Score: Low
45. WordPress + Microsoft Office 365
Plugin: WordPress + Microsoft Office 365
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 15.4
Severity Score: Critical
46. YOP Poll
Plugin: YOP Poll
Vulnerability: Author+ Stored Cross-Site Scripting via Options Module
Patched in Version: 6.3.1
Severity Score: Medium
Plugin: YOP Poll
Vulnerability: Author+ Stored Cross-Site Scripting via Preview Module
Patched in Version: 6.3.1
Severity Score: Medium
47. Indeed Job Importer
Plugin: Indeed Job Importer
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
48. MPL-Publisher – Self-publish your book & ebook
Plugin: MPL-Publisher – Self-publish your book & ebook
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low
49. JobBoardWP
Plugin: JobBoardWP
Vulnerability: Incorrect Authorization to Post Modification
Patched in Version: No known fix – plugin closed
Severity Score: Low
WordPress Theme Vulnerabilities
1. Squaretype Modern Blog
Theme: Squaretype Modern Blog
Vulnerability: Unauthenticated Private/Schedule Posts Disclosure
Patched in Version: 3.0.4
Severity Score: Medium
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.
