Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core Vulnerabilities
WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fixe and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!
WordPress Core
- Vulnerability
- Prototype Pollution in jQuery
- Patched in Version
- 5.9.2
- Severity Score
- Medium
WordPress Core
- Vulnerability
- Contributor+ Stored Cross-Site Scripting
- Patched in Version
- 5.9.2
- Severity Score
- High
WordPress Core
- Vulnerability
- Prototype Pollution via Gutenberg’s WordPress/url package
- Patched in Version
- 5.9.2
- Severity Score
- Medium
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
WooCommerce
- Plugin
- WooCommerce
- Installations
- 5,000,000+
- Vulnerability
- Orders Marked as Paid (via PayPal Standard Gateway)
- Patched in Version
- 6.3.1
- Severity Score
- Low
UpdraftPlus
- Plugin
- UpdraftPlus WordPress Backup Plugin
- Installations
- 3,000,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.22.9
- Severity Score
- Medium
Gutenberg
- Plugin
- Gutenberg
- Installations
- 300,000+
- Vulnerability
- Contributor+ Stored Cross-Site Scripting; Prototype Pollution via Gutenberg’s WordPress/url package
- Patched in Version
- 12.7.2
- Severity Score
- High
Ad Inserter
- Plugin
- Ad Inserter – Ad Manager & AdSense Ads
- Installations
- 200,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.7.12
- Severity Score
- Low
MapPress Maps for WordPress
- Plugin
- MapPress Maps for WordPress
- Installations
- 60,000+
- Vulnerability
- Admin+ File Upload to Remote Code Execution
- Patched in Version
- 2.73.13
- Severity Score
- Medium
Profile Builder
- Plugin
- Profile Builder – User Profile & User Registration Forms
- Installations
- 50,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 3.6.8
- Severity Score
- Low
Amelia < 1.0.48 –
- Plugin
- Amelia – Events & Appointments Booking Calendar
- Installations
- 40,000+
- Vulnerability
- Customer+ SMS Service Abuse and Sensitive Data Disclosure; Customer+ Arbitrary Appointments Status Update
- Patched in Version
- 1.0.49
- Severity Score
- Medium
Easy Social Icons
- Plugin
- Easy Social Icons
- Installations
- 40,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 3.1.4
- Severity Score
- Medium
Google Pagespeed Insights
- Plugin
- Insights from Google PageSpeed
- Installations
- 30,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 4.0.4
- Severity Score
- Medium
WP Block and Stop Bad Bots
- Plugin
- Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
- Installations
- 10,000+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 6.88
- Severity Score
- High
Booking Package
- Plugin
- Booking Package – Appointment Booking Calendar System
- Installations
- 9,000+
- Vulnerability
- Unauthenticated Sensitive Data Disclosure
- Patched in Version
- 1.5.29
- Severity Score
- High
Ad Inserter
- Plugin
- Ad Inserter Pro
- Installations
- Unknown
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.7.12
- Severity Score
- Low
Members List
- Plugin
- Members List Plugin
- Installations
- Unknown
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 4.3.7
- Severity Score
- Medium
Ninja Forms File Uploads Extension
- Plugin
- Ninja Forms File Uploads Extension
- Installations
- Unknown
- Vulnerability
- Unauthenticated Arbitrary File Upload
- Patched in Version
- 3.3.1
- Severity Score
- Critical
Ninja Forms File Uploads Extension
- Plugin
- Ninja Forms File Uploads Extension
- Installations
- Unknown
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- 3.3.13
- Severity Score
- High
Mark Posts
- Plugin
- Mark Posts
- Installations
- Unknown
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 2.0.1
- Severity Score
- Low
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Dropdown Menu Widget
- Plugin
- Dropdown Menu Widget
- Vulnerability
- Subscriber+ Arbitrary Settings Update to Stored XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
Library File Manager
- Plugin
- Library File Manager
- Vulnerability
- Subscriber+ Arbitrary File Creation/Upload/Deletion
- Patched in Version
- No Fix
- Severity Score
- Critical
KingComposer
- Plugin
- Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
- Vulnerability
- Subscriber+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
FormBuilder
- Plugin
- FormBuilder
- Vulnerability
- Stored Cross-Site Scripting via CSRF
- Patched in Version
- No Fix
- Severity Score
- Medium
Material Design for Contact Form 7
- Plugin
- Material Design for Contact Form 7
- Vulnerability
- Subscriber+ Arbitrary Settings Update leading to DoS
- Patched in Version
- No Fix
- Severity Score
- Medium
Updates Continue for 400+ Plugins, Themes Impacted by Insecure Freemius Version
Last week, it was discovered that many plugins and themes are using an insecure version of the Freemius Framework, which is used to power their upsell paths from free to Pro.
As of this report, over 400 plugins and 25 themes are impacted. Because the list is so large, we’re linking directly to the WPScan vulnerability disclosure for the latest information about patches.
Actions to take:
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
