Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report: October 2021, Part 4

Written by iThemes Editorial Team on October 27, 2021

Last Updated on October 27, 2021

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.

Please share this post with your friends to help get the word out and make WordPress safer for everyone.

In The October 27, 2021 Report
  • WordPress Core Vulnerabilities
  • WordPress Plugin Vulnerabilities
    • 1. Shared Files
    • 2. QR Redirector
    • 3. MouseWheel Smooth Scroll 
    • 4. Insert Pages
    • 5. SEO Redirection
    • 6. Paypal Donation
    • 7. IMPress for IDX Broker
    • 8. Simple JWT Login
    • 9. My Tickets
    • 10. Client Invoicing by Sprout Invoices
    • 11. Email Log
    • 12. WP Performance Score Booster
    • 13. Active Directory Integration / LDAP Integration
    • 14. TableOn
    • 15. Responsive Image Slider, Photo Gallery And Carousel
    • 16. WP Sitemap Page
    • 17. Stream
    • 18. Helpful
    • 19. LearnPress
    • 20. Content Staging 
    • 21. Leaky Paywall
    • 22. Tutor LMS
    • 23. Logo Showcase with Slick Slider
    • 24. Formidable Form Builder
    • 25. Download Plugin 
    • 26. Images to WebP 
    • 27. MStore API
    • 28. Easy Digital Downloads
    • 29. Advanced Access Manager
    • 30. YOP Poll
    • 31. WP Attachment Export
    • 32. Content text slider on post 
    • 33. Icegram
    • 34. BetterLinks
    • 35. LearnDash
    • 36. ImageBoss
    • 37. Forminator 
    • 38. MPL-Publisher
    • 39. Elementor 
    • 40. Sassy Social Share
    • 41. Pie Register
    • 42. Advanced Forms
    • 43. Catch Themes Demo Import
    • 44. Simple Job Board
    • 45. Ivory Search
    • 46. Age Gate
  • How to Protect Your WordPress Website From Vulnerable Plugins and Themes
  • Get iThemes Security Pro with 24/7 Website Monitoring
Want this report delivered to your inbox each week?
Subscribe to the weekly email

WordPress Core Vulnerabilities

The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.

1. Shared Files

Plugin: Shared Files
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.6.61
Severity Score: Low

The vulnerability is patched, so you should update to version 1.6.61.

2. QR Redirector

Plugin: QR Redirector
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.6.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.1.

Plugin: QR Redirector
Vulnerability: Subscriber+ Arbitrary QR Redirect Response Status Update
Patched in Version: 1.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.

3. MouseWheel Smooth Scroll 

Plugin: MouseWheel Smooth Scroll 
Vulnerability: Plugin’s Setting Update via CSRF
Patched in Version: 5.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 5.7.

4. Insert Pages

Plugin: Insert Pages
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: 3.7.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.0.

Plugin: Insert Pages
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 3.7.0
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.0.

5. SEO Redirection

Plugin: SEO Redirection
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 8.2
Severity Score: High

The vulnerability is patched, so you should update to version 8.2.

6. Paypal Donation

Plugin: Paypal Donation
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.3.2
Severity Score: Low

The vulnerability is patched, so you should update to version 1.3.2.

7. IMPress for IDX Broker

Plugin: IMPress for IDX Broker
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.6
Severity Score: High

The vulnerability is patched, so you should update to version 3.0.6.

8. Simple JWT Login

Plugin: Simple JWT Login
Vulnerability: Arbitrary Settings Update to Site Takeover via CSRF
Patched in Version: 3.2.1
Severity Score: High

The vulnerability is patched, so you should update to version 3.2.1.

9. My Tickets

Plugin: My Tickets
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 1.8.31
Severity Score: High

The vulnerability is patched, so you should update to version 1.8.31.

10. Client Invoicing by Sprout Invoices

Plugin: Client Invoicing by Sprout Invoices
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 19.9.7
Severity Score: Low

The vulnerability is patched, so you should update to version 19.9.7.

11. Email Log

Plugin: Email Log
Vulnerability: Admin+ SQL Injection
Patched in Version: 2.4.7
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.4.7.

12. WP Performance Score Booster

Plugin WP Performance Score Booster
Vulnerability: Settings Change via CSRF
Patched in Version: 2.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 2.1.

13. Active Directory Integration / LDAP Integration

Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 3.6.95
Severity Score: High

The vulnerability is patched, so you should update to version 3.6.95.

14. TableOn

Plugin: TableOn
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.0.1.

15. Responsive Image Slider, Photo Gallery And Carousel

Plugin: Responsive Image Slider, Photo Gallery And Carousel
Vulnerability: Slider Clone/Save/Delete via CSRF
Patched in Version: 1.3.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.2.

Plugin: Responsive Image Slider, Photo Gallery And Carousel
Vulnerability: Subscriber+ Arbitrary Post Access
Patched in Version: 1.3.6
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.3.6.

16. WP Sitemap Page

Plugin: WP Sitemap Page
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 1.7.0
Severity Score: Low

The vulnerability is patched, so you should update to version 1.7.0.

17. Stream

Plugin: Stream
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.8.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.8.2.

18. Helpful

Plugin: Helpful
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.4.59
Severity Score: Low

The vulnerability is patched, so you should update to version 4.4.59.

19. LearnPress

Plugin: LearnPress
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.1.3.2
Severity Score: Low

The vulnerability is patched, so you should update to version 4.1.3.2.

20. Content Staging 

Plugin: Content Staging 
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low

This vulnerability has NOT been patched. This plugin has been closed as of October 15, 2021. Uninstall and delete.

21. Leaky Paywall

Plugin: Leaky Paywall
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low

This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.

22. Tutor LMS

Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.11
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.11.

23. Logo Showcase with Slick Slider

Plugin: Logo Showcase with Slick Slider
Vulnerability: Author+ Stored Cross Site Scripting
Patched in Version: 1.2.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.2.4.

24. Formidable Form Builder

Plugin: Formidable Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 4.09.05
Severity Score: Low

The vulnerability is patched, so you should update to version 4.09.05.

25. Download Plugin 

Plugin: Download Plugin 
Vulnerability: Subscriber+ Arbitrary Plugin Activation
Patched in Version: 1.6.1
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.6.1.

26. Images to WebP 

Plugin: Images to WebP 
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 1.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 1.9.

Plugin: Images to WebP 
Vulnerability: Authenticated Local File Inclusion
Patched in Version: 1.9
Severity Score: Low

The vulnerability is patched, so you should update to version 1.9.

27. MStore API

Plugin: MStore API
Vulnerability: Unauthenticated PHP File Upload
Patched in Version: 3.4.5
Severity Score: Critical

The vulnerability is patched, so you should update to version 3.4.5.

28. Easy Digital Downloads

Plugin: Easy Digital Downloads
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.11.2.1
Severity Score: High

The vulnerability is patched, so you should update to version 2.11.2.1.

29. Advanced Access Manager

Plugin: Advanced Access Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 6.8.0
Severity Score: Low

The vulnerability is patched, so you should update to version 6.8.0.

30. YOP Poll

Plugin: YOP Poll
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.1.2
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.1.2.

31. WP Attachment Export

Plugin: WP Attachment Export
Vulnerability: Unauthenticated Posts Download
Patched in Version: 0.2.4
Severity Score: High

The vulnerability is patched, so you should update to version 1.2.4.

32. Content text slider on post 

Plugin: Content text slider on post 
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 6.9
Severity Score: Medium

The vulnerability is patched, so you should update to version 6.9.

33. Icegram

Plugin: Icegram
Vulnerability:  Admin+ Stored Cross-Site Scripting
Patched in Version: 2.0.3
Severity Score: Low

The vulnerability is patched, so you should update to version 2.0.3.

34. BetterLinks

Plugin: BetterLinks
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.2.6
Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.6.

35. LearnDash

Plugin: LearnDash
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: 2.5.4
Severity Score: Critical

The vulnerability is patched, so you should update to version 2.5.4.

36. ImageBoss

Plugin: ImageBoss
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.0.6
Severity Score: Low

The vulnerability is patched, so you should update to version 3.0.6.

37. Forminator 

Plugin: Forminator 
Vulnerability: Admin + Stored Cross Site Scripting
Patched in Version: 1.2.4
Severity Score: Low

The vulnerability is patched, so you should update to version 1.2.4.

38. MPL-Publisher

Plugin: MPL-Publisher
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 1.30.4
Severity Score: Low

The vulnerability is patched, so you should update to version 1.30.4.

39. Elementor 

Plugin: Elementor 
Vulnerability: DOM Cross Site Scripting
Patched in Version: 3.1.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.1.4.

40. Sassy Social Share

Plugin: Sassy Social Share
Vulnerability: Missing Access Controls to PHP Object Injection
Patched in Version: 3.3.24
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.3.24.

41. Pie Register

Plugin: Pie Register
Vulnerability: Open Redirect
Patched in Version: 3.7.2.4
Severity Score: Medium

The vulnerability is patched, so you should update to version 3.7.2.4.

42. Advanced Forms

Plugin: Advanced Forms
Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR
Patched in Version: 1.6.9
Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

Plugin: Advanced Forms Pro
Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR
Patched in Version: 1.6.9
Severity Score: High

The vulnerability is patched, so you should update to version 1.6.9.

43. Catch Themes Demo Import

Plugin: Catch Themes Demo Import
Vulnerability: Admin+ Arbitrary File Upload
Patched in Version: 1.8
Severity Score: Critical

The vulnerability is patched, so you should update to version 1.8.

44. Simple Job Board

Plugin: Simple Job Board
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.9.5
Severity Score: Low

The vulnerability is patched, so you should update to version 2.9.5.

45. Ivory Search

Plugin: Ivory Search
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.7
Severity Score: High

The vulnerability is patched, so you should update to version 4.7.

46. Age Gate

Plugin: Age Gate
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 2.16.4
Severity Score: Critical

The vulnerability is patched, so you should update to version 2.16.4.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.

1. Scan for Known Website Vulnerabilities

The iThemes Security Pro plugin scans for the #1 reason WordPress sites get hacked: outdated plugins and themes with known vulnerabilities.

2. Auto-Update to Safe Versions

The Version Management feature in iThemes Security Pro integrates with the Site Scan to protect your site. Vulnerable themes, plugins and WordPress core versions will be automatically updated for you.

3. Monitor File Changes

The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.

Get iThemes Security Pro with 24/7 Website Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

  • Site scanner for plugin and theme vulnerabilities
  • File change detection
  • Real-time website security dashboard
  • WordPress security logs
  • Trusted devices
  • reCAPTCHA
  • Brute force protection
  • Two-factor authentication
  • Magic login links
  • Privilege escalation
  • Compromised passwords check & refusal

Get iThemes Security Pro

iThemes Team
iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
website design process
Web Design Inspiration for 2022: Top 10 Trends to Watch
Kadence Conversions
Kadence Conversions: Build Pop-ups, Slide-ins & Banners in WordPress
Hackers broke my business
GoDaddy Hacked: 5 Ways to Secure Your WordPress Site
WordPress Vulnerability Report
WordPress Vulnerability Report: November 2021, Part 2

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.