WordPress Vulnerability Report

Written by

Michael Moore
on

March 9, 2022

Last Updated on March 9, 2022

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress Core Vulnerabilities

WordPress 5.9.1 was released on February 22, 2022, as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

MC4WP

Plugin: MC4WP: Mailchimp for WordPress
Installations: 2,000,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.8.7
Severity Score: Low

Translate WordPress with GTranslate

Plugin: Translate WordPress with GTranslate
Installations: 300,000+
Vulnerability: CSRF to Account Takeover
Patched in Version: 2.9.9
Severity Score: High

Popup Builder

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Installations: 200,000+
Vulnerability: SQL Injection to Reflected Cross-Site Scripting
Patched in Version: 4.1.1
Severity Score: Medium

String Locator

Plugin: String locator
Installations: 100,000+
Vulnerability: Admin+ Arbitrary File Read
Patched in Version: 2.5.0
Severity Score: Low

Menu Image, Icons made easy

Plugin: Menu Image, Icons made easy
Installations: 100,000+
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in Version: 3.0.8
Severity Score: High

Amelia

Plugin: Amelia – Events & Appointments Booking Calendar
Installations: 40,000+
Vulnerability: Unauthenticated Stored XSS via lastName; Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
Patched in Version: 1.0.47
Severity Score: High

Drag and Drop Multiple File Upload – Contact Form 7

Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Installations: 40,000+
Vulnerability: Unauthenticated Stored XSS
Patched in Version: 1.3.6.3
Severity Score: Medium

WordPress File Upload

Plugin: WordPress File Upload
Installations: 30,000+
Vulnerability: Contributor+ Path Traversal to RCE
Patched in Version: 4.16.3
Severity Score: Critical

WPC Smart Wishlist for WooCommerce

Plugin: WPC Smart Wishlist for WooCommerce
Installations: 30,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.9.4
Severity Score: Medium

SpeakOut! Email Petitions

Plugin: SpeakOut! Email Petitions
Installations: 5,000+
Vulnerability: Unauthenticated SQLi
Patched in Version: 2.14.15.1
Severity Score: High

Church Admin

Plugin: Church Admin
Installations: 1,000+
Vulnerability: Unauthenticated Plugin’s Backup Disclosure
Patched in Version: 3.4.135
Severity Score: High

Coupon Affiliates

Plugin: WooCommerce Affiliate Plugin – Coupon Affiliates
Installations: 1,000+
Vulnerability: Unauthenticated Stored XSS
Patched in Version: 4.16.4.5
Severity Score: High

Revision Manager TMC

Plugin: Revision Manager TMC
Installations: 1,000+
Vulnerability: Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version: 2.8.0
Severity Score: Medium

Title Experiments Free

Plugin: Title Experiments Free
Installations: 800+
Vulnerability: Unauthenticated SQLi
Patched in Version: 9.0.1
Severity Score: High

Task Scheduler

Plugin: Task Scheduler
Installations: 500+
Vulnerability: Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version: 1.6.1
Severity Score: Medium

Limit Login Attempts (Spam Protection)

Plugin: Limit Login Attempts (Spam Protection)
Installations: 300+
Vulnerability: Unauthenticated SQLi
Patched in Version: 5.1
Severity Score: High

Popup Like box

Plugin: Popup Like box – Page Plugin
Installations: 300+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.6.1
Severity Score: Medium

Admin Page Framework

Plugin: Admin Page Framework
Installations: 200+
Vulnerability: Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version: 3.9.0
Severity Score: Medium

Conference Scheduler

Plugin: Conference Scheduler
Installations: 200+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.4.3
Severity Score: Medium

Plezi

Plugin: Plezi
Installations: 100+
Vulnerability: Unauthenticated Stored XSS
Patched in Version: 1.0.3
Severity Score: High

WordPress File Upload

Plugin
Vulnerability: Contributor+ Path Traversal to RCE
Patched in Version: 4.16.3
Severity Score: Critical

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

Pz-LinkCard

Plugin: Pz-LinkCard
Installations: 30,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: High

WP Block and Stop Bad Bots

Plugin: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
Vulnerability: Unauthenticated SQLi
Patched in Version: No Fix
Severity Score: High

Sermon Browser

Plugin: Sermon Browser
Vulnerability: Arbitrary File Upload via CSRF
Patched in Version: No Fix
Severity Score: Medium

Faculty Weekly Schedule

Plugin: Faculty Weekly Schedule
Vulnerability: Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version: No Fix
Severity Score: Medium

Read Offline

Plugin: Read Offline
Vulnerability: Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version: No Fix
Severity Score: Medium

OSMapper

Plugin: OSMapper
Vulnerability: Unauthenticated Arbitrary Post Deletion
Patched in Version: No Fix
Severity Score: High

Bank Mellat

Plugin: Bank Mellat
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Better Search TMC

Plugin: Better Search TMC
Vulnerability: Folders Disclosure via Outdated jQueryFileTree Library
Patched in Version: No Fix
Severity Score: Medium

Bulk Creator

Plugin: Bulk Creator
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Delete Old Orders

Plugin: Delete Old Orders
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Mapping Multiple URLs Redirect Same Page

Plugin: Mapping multiple URLs redirect same page
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Multilist Subscribe for Sendy

Plugin: Multilist Subscribe for Sendy
Vulnerability: Subscriber+ Arbitrary Options Update
Patched in Version: No Fix
Severity Score: High

Akismet Privacy Policies

Plugin: Akismet Privacy Policies
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Interactive Medical Drawing of Human Body

Plugin: Interactive Medical Drawing of Human Body
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

dTabs

Plugin: dTabs
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Narnoo Distributor

Plugin: Narnoo Distributor
Vulnerability: Unauthenticated LFI to Arbitrary File Read / RCE
Patched in Version: No Fix
Severity Score: High

Sync WooCommerce Product feed to Google Shopping

Plugin: Sync WooCommerce Product feed to Google Shopping
Vulnerability: Admin+ SQLi
Patched in Version: No Fix
Severity Score: Medium

Database Peek

Plugin: Database Peek
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

Wow Countdowns

Plugin: Wow Countdowns – easily create any countdowns, counters and timers
Vulnerability: Admin+ SQLi
Patched in Version: No Fix
Severity Score: Medium

Updates Continue for 400+ Plugins, Themes Impacted by Insecure Freemius Version

Last week, it was discovered that many plugins and themes are using an insecure version of the Freemius Framework, which is used to power their upsell paths from free to Pro.

As of this report, over 400 plugins and 25 themes are impacted. Because the list is so large, we’re linking directly to the WPScan vulnerability disclosure for the latest information about patches.

Actions to take:

Update all your themes and plugins to the latest versions.
Be sure to turn on automatic updates for your plugins and themes as developers continue to release updates.
Activate the iThemes Security Site Scan module to get a notification if we find that you are running a vulnerable plugin or theme.
Turn on Version Management in iThemes Security to handle automatic vulnerability patching.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Good news! No new WordPress theme vulnerabilities were disclosed this week.

How to Protect Your WordPress Website From Vulnerable Plugins and Themes

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.

Source link