Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core Vulnerabilities
WordPress 5.9.1 was released on February 22, 2022, as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
MC4WP
- Plugin
- MC4WP: Mailchimp for WordPress
- Installations
- 2,000,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 4.8.7
- Severity Score
- Low
Translate WordPress with GTranslate
- Plugin
- Translate WordPress with GTranslate
- Installations
- 300,000+
- Vulnerability
- CSRF to Account Takeover
- Patched in Version
- 2.9.9
- Severity Score
- High
Popup Builder
- Plugin
- Popup Builder – Create highly converting, mobile friendly marketing popups.
- Installations
- 200,000+
- Vulnerability
- SQL Injection to Reflected Cross-Site Scripting
- Patched in Version
- 4.1.1
- Severity Score
- Medium
String Locator
- Plugin
- String locator
- Installations
- 100,000+
- Vulnerability
- Admin+ Arbitrary File Read
- Patched in Version
- 2.5.0
- Severity Score
- Low
Menu Image, Icons made easy
- Plugin
- Menu Image, Icons made easy
- Installations
- 100,000+
- Vulnerability
- Subscriber+ Stored Cross-Site Scripting
- Patched in Version
- 3.0.8
- Severity Score
- High
Amelia
- Plugin
- Amelia – Events & Appointments Booking Calendar
- Installations
- 40,000+
- Vulnerability
- Unauthenticated Stored XSS via lastName; Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
- Patched in Version
- 1.0.47
- Severity Score
- High
Drag and Drop Multiple File Upload – Contact Form 7
- Plugin
- Drag and Drop Multiple File Upload – Contact Form 7
- Installations
- 40,000+
- Vulnerability
- Unauthenticated Stored XSS
- Patched in Version
- 1.3.6.3
- Severity Score
- Medium
WordPress File Upload
- Plugin
- WordPress File Upload
- Installations
- 30,000+
- Vulnerability
- Contributor+ Path Traversal to RCE
- Patched in Version
- 4.16.3
- Severity Score
- Critical
WPC Smart Wishlist for WooCommerce
- Plugin
- WPC Smart Wishlist for WooCommerce
- Installations
- 30,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.9.4
- Severity Score
- Medium
SpeakOut! Email Petitions
- Plugin
- SpeakOut! Email Petitions
- Installations
- 5,000+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 2.14.15.1
- Severity Score
- High
Church Admin
- Plugin
- Church Admin
- Installations
- 1,000+
- Vulnerability
- Unauthenticated Plugin’s Backup Disclosure
- Patched in Version
- 3.4.135
- Severity Score
- High
Coupon Affiliates
- Plugin
- WooCommerce Affiliate Plugin – Coupon Affiliates
- Installations
- 1,000+
- Vulnerability
- Unauthenticated Stored XSS
- Patched in Version
- 4.16.4.5
- Severity Score
- High
Revision Manager TMC
- Plugin
- Revision Manager TMC
- Installations
- 1,000+
- Vulnerability
- Folders Disclosure via Outdated jQueryFileTree Library
- Patched in Version
- 2.8.0
- Severity Score
- Medium
Title Experiments Free
- Plugin
- Title Experiments Free
- Installations
- 800+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 9.0.1
- Severity Score
- High
Task Scheduler
- Plugin
- Task Scheduler
- Installations
- 500+
- Vulnerability
- Folders Disclosure via Outdated jQueryFileTree Library
- Patched in Version
- 1.6.1
- Severity Score
- Medium
Limit Login Attempts (Spam Protection)
- Plugin
- Limit Login Attempts (Spam Protection)
- Installations
- 300+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 5.1
- Severity Score
- High
Popup Like box
- Plugin
- Popup Like box – Page Plugin
- Installations
- 300+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 3.6.1
- Severity Score
- Medium
Admin Page Framework
- Plugin
- Admin Page Framework
- Installations
- 200+
- Vulnerability
- Folders Disclosure via Outdated jQueryFileTree Library
- Patched in Version
- 3.9.0
- Severity Score
- Medium
Conference Scheduler
- Plugin
- Conference Scheduler
- Installations
- 200+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.4.3
- Severity Score
- Medium
Plezi
- Plugin
- Plezi
- Installations
- 100+
- Vulnerability
- Unauthenticated Stored XSS
- Patched in Version
- 1.0.3
- Severity Score
- High
WordPress File Upload
- Plugin
- Vulnerability
- Contributor+ Path Traversal to RCE
- Patched in Version
- 4.16.3
- Severity Score
- Critical
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Pz-LinkCard
- Plugin
- Pz-LinkCard
- Installations
- 30,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- High
WP Block and Stop Bad Bots
- Plugin
- Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- No Fix
- Severity Score
- High
Sermon Browser
- Plugin
- Sermon Browser
- Vulnerability
- Arbitrary File Upload via CSRF
- Patched in Version
- No Fix
- Severity Score
- Medium
Faculty Weekly Schedule
- Plugin
- Faculty Weekly Schedule
- Vulnerability
- Folders Disclosure via Outdated jQueryFileTree Library
- Patched in Version
- No Fix
- Severity Score
- Medium
Read Offline
- Plugin
- Read Offline
- Vulnerability
- Folders Disclosure via Outdated jQueryFileTree Library
- Patched in Version
- No Fix
- Severity Score
- Medium
OSMapper
- Plugin
- OSMapper
- Vulnerability
- Unauthenticated Arbitrary Post Deletion
- Patched in Version
- No Fix
- Severity Score
- High
Bank Mellat
- Plugin
- Bank Mellat
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Better Search TMC
- Plugin
- Better Search TMC
- Vulnerability
- Folders Disclosure via Outdated jQueryFileTree Library
- Patched in Version
- No Fix
- Severity Score
- Medium
Bulk Creator
- Plugin
- Bulk Creator
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Delete Old Orders
- Plugin
- Delete Old Orders
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Mapping Multiple URLs Redirect Same Page
- Plugin
- Mapping multiple URLs redirect same page
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Multilist Subscribe for Sendy
- Plugin
- Multilist Subscribe for Sendy
- Vulnerability
- Subscriber+ Arbitrary Options Update
- Patched in Version
- No Fix
- Severity Score
- High
Akismet Privacy Policies
- Plugin
- Akismet Privacy Policies
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Interactive Medical Drawing of Human Body
- Plugin
- Interactive Medical Drawing of Human Body
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
dTabs
- Plugin
- dTabs
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Narnoo Distributor
- Plugin
- Narnoo Distributor
- Vulnerability
- Unauthenticated LFI to Arbitrary File Read / RCE
- Patched in Version
- No Fix
- Severity Score
- High
Sync WooCommerce Product feed to Google Shopping
- Plugin
- Sync WooCommerce Product feed to Google Shopping
- Vulnerability
- Admin+ SQLi
- Patched in Version
- No Fix
- Severity Score
- Medium
Database Peek
- Plugin
- Database Peek
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Wow Countdowns
- Plugin
- Wow Countdowns – easily create any countdowns, counters and timers
- Vulnerability
- Admin+ SQLi
- Patched in Version
- No Fix
- Severity Score
- Medium
Updates Continue for 400+ Plugins, Themes Impacted by Insecure Freemius Version
Last week, it was discovered that many plugins and themes are using an insecure version of the Freemius Framework, which is used to power their upsell paths from free to Pro.
As of this report, over 400 plugins and 25 themes are impacted. Because the list is so large, we’re linking directly to the WPScan vulnerability disclosure for the latest information about patches.
Actions to take:
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
