virusword.com

Learn Wordpress

Home/Woocommerce/WordPress Vulnerability Report – April 20, 2022

WordPress Vulnerability Report – April 20, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Core Vulnerabilities

WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Elementor

Product image for Elementor Website Builder.

Plugin
Elementor Website Builder

Installations
5,000,000+

Vulnerability
Subscriber+ Arbitrary File Upload

Patched in Version
3.6.3

Severity Score
Critical

The vulnerability has been patched, so you should update to version 3.6.3.

Popup Maker

Product image for Popup Maker – Popup for opt-ins, lead gen, & more.

Plugin
Popup Maker – Popup for opt-ins, lead gen, & more

Installations
700,000+

Vulnerability
Admin+ Stored Cross-Site Scripting

Patched in Version
1.16.5

Severity Score
Low

The vulnerability has been patched, so you should update to version 1.16.5.

WPvivid Backup and Migration Plugin

Product image for Migration, Backup, Staging – WPvivid.

Plugin
Migration, Backup, Staging – WPvivid

Installations
100,000+

Vulnerability
Admin+ Arbitrary File Download

Patched in Version
0.9.71

Severity Score
Low

The vulnerability has been patched, so you should update to version 0.9.71.

Modern Events Calendar Lite

Product image for Modern Events Calendar Lite.

Plugin
Modern Events Calendar Lite

Installations
100,000+

Vulnerability
Admin+ Stored Cross-Site Scripting

Patched in Version
6.5.2

Severity Score
Low

The vulnerability has been patched, so you should update to version 6.5.2.

Slide Anything

Product image for Slide Anything – Responsive Content / HTML Slider and Carousel.

Plugin
Slide Anything – Responsive Content / HTML Slider and Carousel

Installations
100,000+

Vulnerability
Editor+ Stored Cross-Site Scripting

Patched in Version
2.3.44

Severity Score
Low

The vulnerability has been patched, so you should update to version 2.3.44.

Multiple Plugins from Cool Plugins – Cool Timeline

Product image for Cool Timeline.

Plugin
Cool Timeline

Installations
20,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
2.4

Severity Score
High

The vulnerability has been patched, so you should update to version 2.4.

Popup by Supsystic

Product image for Popup by Supsystic.

Plugin
Popup by Supsystic

Installations
20,000+

Vulnerability
Unauthenticated Subscriber Email Addresses Disclosure

Patched in Version
1.10.9

Severity Score
High

The vulnerability has been patched, so you should update to version 1.10.9.

Multiple Plugins from Cool Plugins – Cryptocurrency Widgets – Price Ticker & Coins List

Product image for Cryptocurrency Widgets – Price Ticker & Coins List.

Plugin
Cryptocurrency Widgets – Price Ticker & Coins List

Installations
10,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
2.5

Severity Score
High

The vulnerability has been patched, so you should update to version 2.5.

Multiple Plugins from Cool Plugins – Events Shortcodes For The Events Calendar

Product image for Events Shortcodes For The Events Calendar.

Plugin
Events Shortcodes For The Events Calendar

Installations
10,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
2.0

Severity Score
High

The vulnerability has been patched, so you should update to version 2.0.

Multiple Plugins from Cool Plugins – Cryptocurrency Donation Box – Bitcoin & Crypto Donations

Product image for Cryptocurrency Donation Box – Bitcoin & Crypto Donations.

Plugin
Cryptocurrency Donation Box – Bitcoin & Crypto Donations

Installations
5,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
1.8

Severity Score
High

The vulnerability has been patched, so you should update to version 1.8.

Multiple Plugins from Cool Plugins – Events Widgets For Elementor And The Events Calendar

Product image for Events Widgets For Elementor And The Events Calendar.

Plugin
Events Widgets For Elementor And The Events Calendar

Installations
5,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
1.5

Severity Score
High

The vulnerability has been patched, so you should update to version 1.5.

Simple Ajax Chat

Product image for Simple Ajax Chat.

Plugin
Simple Ajax Chat

Installations
4,000+

Vulnerability
Sensitive Information Disclosure; Log Clearing & Arbitrary Chat Message Deletion via CSRF

Patched in Version
20220216

Severity Score
Medium

The vulnerability has been patched, so you should update to version 20220216.

Multiple Plugins from Cool Plugins – Event Single Page Templates Addon For The Events Calendar

Product image for Event Single Page Templates Addon For The Events Calendar.

Plugin
Event Single Page Templates Addon For The Events Calendar

Installations
3,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
1.6

Severity Score
High

The vulnerability has been patched, so you should update to version 1.6.

Multiple Plugins from Cool Plugins – Events Search For The Events Calendar

Product image for Events Search For The Events Calendar.

Plugin
Events Search For The Events Calendar

Installations
2,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
1.2

Severity Score
High

The vulnerability has been patched, so you should update to version 1.2.

RSFirewall

Product image for RSFirewall!.

Plugin
RSFirewall!

Installations
2,000+

Vulnerability
IP Block Bypass

Patched in Version
1.1.25

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.1.25.

Multiple Plugins from Cool Plugins – Event Countdown For The Events Calendar

Product image for Event Countdown For The Events Calendar.

Plugin
Event Countdown For The Events Calendar

Installations
2,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
1.4

Severity Score
High

The vulnerability has been patched, so you should update to version 1.4.

Multiple Plugins from Cool Plugins -Cryptocurrency Widgets For Elementor

Product image for Cryptocurrency Widgets For Elementor.

Plugin
Cryptocurrency Widgets For Elementor

Installations
1,000+

Vulnerability
Subscriber+ Arbitrary Plugin Installation & Activation

Patched in Version
1.3

Severity Score
High

The vulnerability has been patched, so you should update to version 1.3.

Ubigeo de Peru

Product image for Ubigeo de Perú para Woocommerce y WordPress.

Plugin
Ubigeo de Perú para Woocommerce y WordPress

Installations
1,000+

Vulnerability
Unauthenticated SQLi

Patched in Version
3.6.4

Severity Score
High

The vulnerability has been patched, so you should update to version 3.6.4.

Order Listener for WooCommerce

Product image for Order Listener for WooCommerce – Play Sounds Instantly on New Orders.

Plugin
Order Listener for WooCommerce – Play Sounds Instantly on New Orders

Installations
1,000+

Vulnerability
Unauthenticated SQLi

Patched in Version
3.2.2

Severity Score
High

The vulnerability has been patched, so you should update to version 3.2.2.

Personal Dictionary

Plugin
Personal Dictionary

Installations
30+

Vulnerability
Unauthenticated SQLi

Patched in Version
1.3.4

Severity Score
High

The vulnerability has been patched, so you should update to version 1.3.4.

Themify

Plugin

Vulnerability
Reflected Cross-Site Scripting

Patched in Version
1.4.0

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.4.0.

Fancy Product Designer

Plugin
Fancy Product Designer

Vulnerability
Arbitrary File Upload via CSRF

Patched in Version
4.7.6

Severity Score
High

The vulnerability has been patched, so you should update to version 4.7.6.

MapSVG

Plugin
MapSVG

Vulnerability
Unauthenticated SQLi

Patched in Version
6.2.20

Severity Score
High

The vulnerability has been patched, so you should update to version 6.2.20.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

WP Maintenance

Product image for WP Maintenance.

Plugin
WP Maintenance

Installations
30,000+

Vulnerability
Admin+ Stored Cross-Site Scripting

Patched in Version
No Fix

Severity Score
Low

The vulnerability has not been patched. You should deactivate the plugin.

WP Social Buttons

Product image for WP Social Buttons.

Plugin
WP Social Buttons

Installations
400+

Vulnerability
Admin+ Stored Cross-Site Scripting

Patched in Version
No Fix

Severity Score
Low

The vulnerability has not been patched. You should deactivate the plugin.

IgniteUp

Plugin
IgniteUp – Coming Soon and Maintenance Mode

Vulnerability
Admin+ Stored Cross-Site Scripting

Patched in Version
No Fix

Severity Score
Low

The vulnerability has not been patched. You should deactivate the plugin.

BadgeOS

Plugin
BadgeOS

Vulnerability
Unauthenticated SQLi

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

KB Support

Plugin
KB Support – WordPress Help Desk

Vulnerability
Unauthenticated Stored Cross-Site Scripting

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

CalderaWP License Manager

Plugin

Vulnerability
Reflected Cross-Site Scripting

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Admin Menu Editor

Plugin
Admin Menu Editor

Vulnerability
Reflected Cross-Site Scripting

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Product Filter For WooCommerce Product

Plugin
Product Filter For WooCommerce Product

Vulnerability
Unauthenticated SQLi

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

SEMA API

Plugin
SEMA API

Vulnerability
Unauthenticated SQLi

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

Easily Generate Rest API Url

Plugin
Easily Generate Rest API Url

Vulnerability
Admin+ Stored Cross-Site Scripting

Patched in Version
No Fix

Severity Score
Low

The vulnerability has not been patched. You should deactivate the plugin.

WP Video Gallery

Plugin
WP Video Gallery

Vulnerability
Unauthenticated SQLi

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

  • Good news! No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Source link

Explore more

Get our Wordpress Guide Get Plugins Get Connected