Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
Want this report delivered to your inbox each week?
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
1. All In One SEO
Plugin: All In One SEO
Vulnerability: Authenticated SQL Injection
Active Installation: 3+ million
Patched in Version: 4.1.5.3
Severity Score: High
The vulnerability is patched, so you should update to version 4.1.5.3.
Plugin: All In One SEO
Vulnerability: Authenticated Privilege Escalation
Active Installation: 3+ million
Patched in Version: 4.1.5.3
Severity Score: Critical
The vulnerability is patched, so you should update to version 4.1.5.3.
2. Smash Balloon Social Post Feed
Plugin: Smash Balloon Social Post Feed
Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS)
Active Installation: 200,000+
Patched in Version: 4.1.1
Severity Score: Medium
The vulnerability is patched, so you should update to version 4.1.1.
3. Modern Events Calendar Lite
Plugin: Modern Events Calendar Lite
Vulnerability: Subscriber+ Category Add Leading to Stored XSS
Active Installation: 100,000+
Patched in Version: 6.2.0
Severity Score: Medium
The vulnerability is patched, so you should update to version 6.2.0.
4. WOOCS
Plugin: WOOCS
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 60,000+
Patched in Version: 1.3.7.3
Severity Score: High
The vulnerability is patched, so you should update to version 1.3.7.3.
5. Crisp Live Chat
Plugin: Crisp Live Chat
Vulnerability: CSRF to Stored Cross-Site Scripting
Active Installation: 60,000+
Patched in Version: 0.32
Severity Score: High
The vulnerability is patched, so you should update to version 0.32.
6. Image Hover Effects Ultimate
Plugin: Image Hover Effects Ultimate
Vulnerability: Unauthenticated Arbitrary Option Update
Active Installation: 20,000+
Patched in Version: 9.7.0
Severity Score: Critical
The vulnerability is patched, so you should update to version 9.7.0.
7. WP Booking System – Booking Calendar
Plugin: WP Booking System – Booking Calendar
Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS)
Active Installation: 10,000+
Patched in Version: 2.0.15
Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.15.
8. Landing Page Builder
Plugin: Landing Page Builder
Vulnerability: Authenticated Reflected Cross-Site Scripting (XSS)
Active Installation: 10,000+
Patched in Version: 1.4.9.6
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.4.9.6.
9. Fathom Analytics
Plugin: Fathom Analytics
Vulnerability: Admin+ Stored Cross-Site Scripting
Active Installation: 2000+
Patched in Version: 3.0.5
Severity Score: Low
The vulnerability is patched, so you should update to version 3.0.5.
10. True Ranker
Plugin: True Ranker
Vulnerability: Unauthenticated Arbitrary File Access via Path Traversal
Active Installation: 200+
Patched in Version: 2.2.4
Severity Score: Low
The vulnerability is patched, so you should update to version 2.2.4.
WordPress Plugin Vulnerabilities: Plugin Closed
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure.
11. Comment Engine Pro
Plugin: Comment Engine Pro
Vulnerability: Editor+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
This vulnerability has NOT been patched. This plugin has been closed as of October 7, 2021. Uninstall and delete.
12. .htaccess Redirect
Plugin: .htaccess Redirect
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
13. Parsian Bank Gateway for Woocommerce
Plugin: Parsian Bank Gateway for Woocommerce
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
14. Real WYSIWYG
Plugin: Real WYSIWYG
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
15. Link List Manager
Plugin: Link List Manager
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
16. Simple Image Gallery
Plugin: Simple Image Gallery
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
17. WooCommerce EnvioPack
Plugin: WooCommerce EnvioPack
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of November 15, 2021. Uninstall and delete.
18. Magic Post Voice
Plugin: Magic Post Voice
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
19. H5P CSS Editor
Plugin: H5P CSS Editor
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
20. duoFAQ
Plugin: duoFAQ
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
21. Magic Post Voice
Plugin: Magic Post Voice
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 3, 2021. Uninstall and delete.
22. WooCommerce myghpay Payment Gateway
Plugin: WooCommerce myghpay Payment Gateway
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: High
This vulnerability has NOT been patched. This plugin has been closed as of December 13, 2021. Uninstall and delete.
Premium Plugin Vulnerabilities
In this section, the latest WordPress premium plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
23. The Plus Addons for Elementor Pro
Plugin: The Plus Addons for Elementor – Pro
Vulnerability: Sensitive Data Disclosure
Patched in Version: 5.0.7
Severity Score: Medium
The vulnerability is patched, so you should update to version 5.0.7.
Plugin: The Plus Addons for Elementor – Pro
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 5.0.7
Severity Score: Medium
The vulnerability is patched, so you should update to version 5.0.7.
24. Lets Box
Plugin: Lets Box
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.13.3
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.13.3.
25. Share One Drive
Plugin: Share One Drive
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.15.3
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.15.3.
26. Out of the Box
Plugin: Out of the Box
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.20.3
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.20.3.
27. Use Your Drive
Plugin: Use Your Drive
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.18.3
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.18.3.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Save 35% Off iThemes Security Pro Through Dec. 31
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
