• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

virusword.com

Learn Wordpress

  • Home
  • WordPress Shop
    • Fotopress
    • SEO Tool Kit
    • Social Contact
    • Tag Machine 2
    • Video Profits
  • Latest News
  • WordPress
    • Plugins
    • Themes
    • Tutorials
    • Videos
    • Woocommerce
  • About Us
  • Contact Us
    • Terms of Service
    • Privacy Policy
  • Show Search
Hide Search
Home/Woocommerce/WordPress Vulnerability Report – December 7, 2022

WordPress Vulnerability Report – December 7, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Contents of the December 7, 2022 Report

The Future of Authentication is Passkeys! Login to your WordPress site with Biometrics only available in iThemes Security Pro

The problems of brute force attacks through credential stuffing, phishing attacks, and reused passwords have made our digital lives less secure. We’ve all tried to encourage 2-factor authentication as a protection, but less than 30% of users actually use 2FA. Password-based logins are a problem.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

  • No new WordPress core vulnerabilities were disclosed this week.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Autoptimize

Product image for Autoptimize.

Plugin Slug
autoptimize

Installations
1,000,000+

Vulnerability
Sensitive Data Disclosure

Patched in Version
3.1.0

Severity Score
Medium

The vulnerability has been patched, so you should update to version 3.1.0.

Easy WP SMTP

Product image for Easy WP SMTP.

Plugin Slug
easy-wp-smtp

Installations
600,000+

Vulnerability
Admin+ Arbitrary File Deletion; Admin+ Arbitrary File Access

Patched in Version
1.5.2

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.5.2.

Custom Product Tabs for WooCommerce

Product image for Custom Product Tabs for WooCommerce.

Plugin Slug
yikes-inc-easy-custom-woocommerce-product-tabs

Installations
100,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
1.8.0

Severity Score
Low

The vulnerability has been patched, so you should update to version 1.8.0.

Booster for WooCommerce

Product image for Booster for WooCommerce.

Plugin Slug
woocommerce-jetpack

Installations
70,000+

Vulnerability
Reflected Cross-Site Scripting

Patched in Version
5.6.3

Severity Score
High

The vulnerability has been patched, so you should update to version 5.6.3.

Stop Spammers Security

Product image for Stop Spammers Security | Block Spam Users, Comments, Forms.

Plugin Slug
stop-spammer-registrations-plugin

Installations
60,000+

Vulnerability
Unauthenticated PHP Object Injection

Patched in Version
2022.6

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2022.6.

Quiz and Survey Master

Product image for Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress.

Plugin Slug
quiz-master-next

Installations
40,000+

Vulnerability
Unauthenticated iFrame Injection; Improper Input Validation

Patched in Version
8.0.5

Severity Score
High

The vulnerability has been patched, so you should update to version 8.0.5.

Sliderby10Web

Product image for Sliderby10Web.

Plugin Slug
slider-wd

Installations
30,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
1.2.53

Severity Score
Low

The vulnerability has been patched, so you should update to version 1.2.53.

Appointment Hour Booking

Product image for Appointment Hour Booking – WordPress Booking Plugin.

Plugin Slug
appointment-hour-booking

Installations
30,000+

Vulnerability
Unauthenticated iFrame Injection; CSV Injection; CAPTCHA Bypass

Patched in Version
1.3.73

Severity Score
High

The vulnerability has been patched, so you should update to version 1.3.73.

WP Google Review Slider

Product image for WP Google Review Slider.

Plugin Slug
wp-google-places-review-slider

Installations
20,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
11.6

Severity Score
Low

The vulnerability has been patched, so you should update to version 11.6.

Google Apps Login

Product image for Login for Google Apps.

Plugin Slug
google-apps-login

Installations
20,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
3.4.5

Severity Score
Low

The vulnerability has been patched, so you should update to version 3.4.5.

Welcart e-Commerce

Product image for Welcart e-Commerce.

Plugin Slug
usc-e-shop

Installations
20,000+

Vulnerability
Subscriber+ PHAR Deserialisation; Unauthenticated Arbitrary File Access; Subscriber+ Arbitrary File Access

Patched in Version
2.8.6

Severity Score
High

The vulnerability has been patched, so you should update to version 2.8.6.

GD bbPress Attachments

Product image for GD bbPress Attachments.

Plugin Slug
gd-bbpress-attachments

Installations
10,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
4.4

Severity Score
Low

The vulnerability has been patched, so you should update to version 4.4.

Simple Basic Contact Form

Product image for Simple Basic Contact Form.

Plugin Slug
simple-basic-contact-form

Installations
10,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
20221201

Severity Score
Low

The vulnerability has been patched, so you should update to version 20221201.

WP-Ban

Product image for WP-Ban.

Plugin Slug
wp-ban

Installations
10,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
1.69.1

Severity Score
Low

The vulnerability has been patched, so you should update to version 1.69.1.

All-in-One Addons for Elementor – WidgetKit

Product image for All-in-One Addons for Elementor – WidgetKit.

Plugin Slug
widgetkit-for-elementor

Installations
10,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
2.4.4

Severity Score
Low

The vulnerability has been patched, so you should update to version 2.4.4.

Advanced Coupons for WooCommerce Coupons

Product image for Advanced Coupons – Better WooCommerce Coupons, Store Credit, Gift Cards, Loyalty Program & More.

Plugin Slug
advanced-coupons-for-woocommerce-free

Installations
10,000+

Vulnerability
Notice Dismiss via CSRF

Patched in Version
4.5.0.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 4.5.0.1.

Kwayy HTML Sitemap

Plugin Slug
kwayy-html-sitemap

Installations
7,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
4.0

Severity Score
Low

The vulnerability has been patched, so you should update to version 4.0.

Return Refund and Exchange For WooCommerce

Product image for Return Refund and Exchange For WooCommerce – Create A Simple Warranty Management System RMA with Exchange, Wallet & Cancel Order Features.

Plugin Slug
woo-refund-and-exchange-lite

Installations
4,000+

Vulnerability
Unauthenticated Arbitrary File Upload

Patched in Version
4.0.9

Severity Score
Critical

The vulnerability has been patched, so you should update to version 4.0.9.

WP Smart Import

Product image for WP Smart Import : Import any XML File to WordPress.

Plugin Slug
wp-smart-import

Installations
2,000+

Vulnerability
Reflected Cross-Ste Scripting

Patched in Version
1.0.3

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.0.3.

Chained Quiz

Plugin Slug
chained-quiz

Installations
2,000+

Vulnerability
Admin+ Stored XSS; Multiple Reflected Cross-Site Scripting; Arbitrary Question Deletion via CSRF; Reflected Cross-Site Scripting; Submitted Quiz Response Deletion via CSRF; Arbitrary Quiz Deletion & Copying via CSRF

Patched in Version
1.3.2.5

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.3.2.5.

WordPress Filter Gallery Plugin

Product image for WordPress Filter Gallery Plugin.

Plugin Slug
filter-gallery

Installations
1,000+

Vulnerability
Admin+ Stored XSS

Patched in Version
0.1.6

Severity Score
Low

The vulnerability has been patched, so you should update to version 0.1.6.

Contest Gallery

Product image for Contest Gallery – Files Upload and Contest Plugin for WordPress.

Plugin Slug
contest-gallery

Installations
1,000+

Vulnerability
Author+ SQL Injection; Unauthenticated SQL Injection

Patched in Version
19.1.5.1

Severity Score
High

The vulnerability has been patched, so you should update to version 19.1.5.1.

Simple:Press

Product image for Simple:Press – WordPress Forum Plugin.

Plugin Slug
simplepress

Installations
600+

Vulnerability
Admin+ Arbitrary File Update; Subscriber+ Arbitrary File Deletion; Unauthenticated Stored XSS via Forum Replies; Subscriber+ Stored XSS via Profile Signatures

Patched in Version
6.8.1

Severity Score
Low

The vulnerability has been patched, so you should update to version 6.8.1.

ARMember

Plugin
ARMember – Complete Membership Plugin

Plugin Slug
armember

Vulnerability
Unauthenticated Privilege Escalation

Patched in Version
5.6

Severity Score
Critical

The vulnerability has been patched, so you should update to version 5.6.

WP CSV Exporter

Plugin Slug
wp-csv-exporter

Vulnerability
CSV Injection

Patched in Version
1.3.7

Severity Score
Low

The vulnerability has been patched, so you should update to version 1.3.7.

Booster for WooCommerce

Plugin
Booster Plus for WooCommerce

Plugin Slug
booster-plus-for-woocommerce

Vulnerability
Reflected Cross-Site Scripting

Patched in Version
6.0.0

Severity Score
High

The vulnerability has been patched, so you should update to version 6.0.0.

Contest Gallery Pro

Plugin
Contest Gallery Pro

Plugin Slug
contest-gallery-pro

Vulnerability
Admin+ SQL Injection

Patched in Version
19.1.5

Severity Score
Medium

The vulnerability has been patched, so you should update to version 19.1.5.

Booster for WooCommerce

Plugin
Booster Elite for WooCommerce

Plugin Slug
booster-elite-for-woocommerce

Vulnerability
Reflected Cross-Site Scripting

Patched in Version
6.0.0

Severity Score
High

The vulnerability has been patched, so you should update to version 6.0.0.

YITH WooCommerce Gift Cards Premium

Plugin
YITH WooCommerce Gift Cards

Plugin Slug
yith-woocommerce-gift-cards-premium

Vulnerability
Unauthenticated Arbitrary File Upload

Patched in Version
3.20.0

Severity Score
Critical

The vulnerability has been patched, so you should update to version 3.20.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Paytium

Plugin Slug
paytium

Vulnerability
Admin+ Stored XSS

Patched in Version
No Fix

Severity Score
Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

ImageInject

Plugin Slug
wp-inject

Vulnerability
Admin+ Stored XSS

Patched in Version
No Fix

Severity Score
Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Menu Item Visibility Control

Plugin Slug
menu-items-visibility-control

Vulnerability
Admin+ Arbitrary PHP Code Execution

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Bulk Delete Users by Email

Plugin Slug
bulk-delete-users-by-email

Vulnerability
User Deletion via CSRF; Reflected Cross-Site Scripting

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Eventify

Plugin Slug
eventify

Vulnerability
Admin+ Stored XSS

Patched in Version
No Fix

Severity Score
Low

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Supra CSV

Plugin Slug
supra-csv-parser

Vulnerability
Stored Cross-Site Scripting via CSRF

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

IWS – Geo Form Fields

Plugin Slug
iws-geo-form-fields

Vulnerability
Unauthenticated SQLi

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Advanced Booking Calendar

Plugin Slug
advanced-booking-calendar

Vulnerability
CSRF; Unauthenticated SQLi

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Plugin Logic

Plugin Slug
plugin-logic

Vulnerability
Admin+ SQLi

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Workreap

Theme
Workreap

Theme Slug
workreap

Vulnerability
Subscriber+ Arbitrary Posts Deletion via IDOR

Patched in Version
2.6.4

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.6.4.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the WPScan Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

iThemes Team

Source link

Written by:
Abdul Wahid
Published on:
December 7, 2022

Categories: Woocommerce

Primary Sidebar

Wordpress

  • Content Management Systems (2)
  • Digital Marketing (4)
  • Internet Marketing (28)
  • Latest News (458)
  • Online Business (2)
  • Plugins (519)
  • Themes (521)
  • Videos (1,350)
  • Website Development (1)
  • Woocommerce (589)
  • WordPress (6)

Recent Articles

Unlock Your Internet Marketing Potential with WordPress: Tips, Tools, and Strategies

How to Use WordPress to Achieve Your Internet …

Continue Reading about Unlock Your Internet Marketing Potential with WordPress: Tips, Tools, and Strategies

Unlock Your Internet Marketing Potential: Harnessing the Power of WordPress

How to Use WordPress to Achieve Your Internet …

Continue Reading about Unlock Your Internet Marketing Potential: Harnessing the Power of WordPress

Search our site

Explore more

Get our Wordpress Guide Get Plugins Get Connected

Footer

VirusWord by Promaps, Inc.

Barnes Place
Colombo 7, Western 00700

Copyright © 2025 · Promaps, Inc.

Keep In Touch

  • Email
  • Facebook
  • Instagram
  • Pinterest
  • Twitter