Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WEDNESDAY, APRIL 6, 2022 @ 1:00 – 2:00 PM (CT)
A FREE ONLINE TRAINING EVENT from the ithemes security team
For many, hackers exploiting plugin vulnerabilities seems mysterious and even frightening. In this webinar, WordPress security expert Kathy Zant will give you a quick and simple overview of how plugin vulnerabilities work with an actual demonstration of an old plugin vulnerability being exploited. This demonstration will underscore how important it is to keep your plugins updated. We’ll also talk about some common attacks and how iThemes Security helps you make good decisions to keep your WordPress websites secure.
WordPress Core Vulnerabilities
WordPress 5.9.2 was released on March 11, 2022, as a security and maintenance release with 1 bug fix and 3 security fixes. Because this is a security release, be sure to update to WordPress 5.9.2 as soon as possible!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
Ninja Forms
- Plugin
- Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
- Installations
- 1,000,000+
- Vulnerability
- Unauthenticated Email Address Disclosure
- Patched in Version
- 3.6.8-wp
- Severity Score
- Medium
Loco Translate
- Plugin
- Loco Translate
- Installations
- 1,000,000+
- Vulnerability
- Authenticated Stored Cross-Site Scripting
- Patched in Version
- 2.6.1
- Severity Score
- High
Safe SVG
- Plugin
- Safe SVG
- Installations
- 600,000+
- Vulnerability
- SVG Sanitization Bypass
- Patched in Version
- 1.9.10
- Severity Score
- Medium
Caldera Forms
- Plugin
- Caldera Forms – More Than Contact Forms
- Installations
- 200,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.9.7
- Severity Score
- Medium
WP Downgrade
- Plugin
- WP Downgrade | Specific Core Version
- Installations
- 100,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 1.2.3
- Severity Score
- Low
Hummingbird
- Plugin
- Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS
- Installations
- 100,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 3.3.2
- Severity Score
- Low
Easy Digital Downloads
- Plugin
- Easy Digital Downloads – Simple eCommerce for Selling Digital Files
- Installations
- 50,000+
- Vulnerability
- Arbitrary Payment Note Insertion via CSRF; Admin+ Stored Cross-Site Scripting
- Patched in Version
- 2.11.6
- Severity Score
- Low
Woo Product Table
- Plugin
- Product Table for WooCommerce (wooproducttable.com)
- Installations
- 8,000+
- Vulnerability
- Unauthenticated Arbitrary Function Call
- Patched in Version
- 3.1.2
- Severity Score
- Critical
Shopping Cart & eCommerce Store
- Plugin
- Shopping Cart & eCommerce Store
- Installations
- 6,000+
- Vulnerability
- Arbitrary Design Settings Update via CSRF
- Patched in Version
- 5.2.5
- Severity Score
- Medium
RSVP and Event Management
- Plugin
- RSVP and Event Management Plugin
- Installations
- 5,000+
- Vulnerability
- Unauthenticated Entries Export
- Patched in Version
- 2.7.8
- Severity Score
- High
Text Hover
- Plugin
- Text Hover
- Installations
- 3,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 4.2
- Severity Score
- Low
SearchIQ
- Plugin
- SearchIQ – The Search Solution
- Installations
- 2,000+
- Vulnerability
- Unauthenticated Stored XSS
- Patched in Version
- 3.9
- Severity Score
- High
Simple Event Planner
- Plugin
- Simple Event Planner
- Installations
- 1,000+
- Vulnerability
- Author+ Stored Cross-Site Scripting
- Patched in Version
- 1.5.5
- Severity Score
- Medium
Daily Prayer Time
- Plugin
- Daily Prayer Time
- Installations
- 1,000+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 2022.03.01
- Severity Score
- High
GS Variation Swatches for WooCommerce
- Plugin
- GS Variation Swatches for WooCommerce
- Installations
- 200+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.6.0
- Severity Score
- Medium
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
EXMAGE
- Plugin
- EXMAGE – WordPress Image Links
- Installations
- 2,000+
- Vulnerability
- Admin+ Blind SSRF
- Patched in Version
- No Fix
- Severity Score
- Low
Good & Bad Comments
- Plugin
- Good & Bad comments
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
Thank Me Later
- Plugin
- Thank Me Later
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
Page Security & Membership
- Plugin
- Page Security & Membership
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
Autolinks
- Plugin
- Autolinks
- Vulnerability
- Stored Cross-Site Scripting via CSRF
- Patched in Version
- No Fix
- Severity Score
- Medium
Amministrazione Aperta
- Plugin
- Amministrazione Aperta
- Vulnerability
- Admin+ LFI
- Patched in Version
- No Fix
- Severity Score
- Low
Ad Injection
- Plugin
- Ad Injection
- Vulnerability
- Admin+ Stored Cross-Site Scripting & RCE
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.