Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
Want this report delivered to your inbox each week?
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
1. WordPress
Vulnerability: Expired DST Root CA X3 Certificate
Patched in Version: 5.8.2
Explanation:The wp-includes/certificates/ca-bundle.crt file contains a DST Root CA X3 which expired on September 30th, 2021, raising security warning in some cases.
The vulnerability has been patched, so make sure you are running WordPress 5.8.2.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. Registrations for the Events Calendar
Plugin: Registrations for the Events Calendar
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 2.7.6
Severity Score: High
The vulnerability is patched, so you should update to version 2.7.6.
2. LoginWP
Plugin: LoginWP
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.0.5
Severity Score: High
The vulnerability is patched, so you should update to version 3.0.0.5.
3. WooCommerce Currency Switcher
Plugin: WooCommerce Currency Switcher
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.3.7.1
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.3.7.1.
4. Secure Copy Content Protection and Content Locking
Plugin: Secure Copy Content Protection and Content Locking
Vulnerability: Subscriber+ Email Address Disclosure
Patched in Version: 2.8.2
Severity Score: High
The vulnerability is patched, so you should update to version 2.8.2.
5. Bookly
Plugin: Bookly
Vulnerability: Staff Member Stored Cross-Site Scripting
Patched in Version: 20.3.1
Severity Score: Medium
The vulnerability is patched, so you should update to version 20.3.1.
6. Email Log
Plugin: Email Log
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.4.8
Severity Score: High
The vulnerability is patched, so you should update to version 2.4.8.
7. Tawk.to Live Chat
Plugin: Tawk.to Live Chat
Vulnerability: Subscriber+ Visitor Monitoring & Chat Removal
Patched in Version: 0.6.0
Severity Score: High
The vulnerability is patched, so you should update to version 0.6.0.
8. WP Data Access
Plugin: WP Data Access
Vulnerability: Admin+ SQL Injection
Patched in Version: 5.0.0
Severity Score: High
The vulnerability is patched, so you should update to version 5.0.0.
9. PDF.js Viewer
Plugin: PDF.js Viewer
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.0.2
Severity Score: Medium
The vulnerability is patched, so you should update to version 2.0.2.
10. Backup and Restore
Plugin: Backup and Restore
Vulnerability: Admin+ Arbitrary File Deletion
Patched in Version: No known fix
Severity Score: Medium
This vulnerability has NOT been patched. Uninstall and delete the plugin until a patch is released.
11. LearnPress
Plugin: LearnPress
Vulnerability: Admin+ SQL Injection
Patched in Version: 4.1.4
Severity Score: Medium
The vulnerability is patched, so you should update to version 4.1.4.
12. Get Custom Field Values
Plugin: Get Custom Field Values
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 4.0.1
Severity Score: Medium
The vulnerability is patched, so you should update to version 4.0.1.
13. Booking Package
Plugin: Booking Package
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.5.11
Severity Score: Medium
The vulnerability is patched, so you should update to version 1.5.11.
14. Like Button Rating
Plugin: Like Button Rating
Vulnerability: Unauthorised Vote Export to Email & IP Addresses Disclosure
Patched in Version: 2.6.38
Severity Score: High
The vulnerability is patched, so you should update to version 2.6.38.
15. Caldera Forms
Plugin: Caldera Forms
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.9.5
Severity Score: Low
The vulnerability is patched, so you should update to version 1.9.5.
16. Starter Templates
Plugin: Starter Templates
Vulnerability: Contributor+ Block Import to Stored XSS
Patched in Version: 2.7.1
Severity Score: High
The vulnerability is patched, so you should update to version 2.7.1.
17. Contact Form Email
Plugin: Contact Form Email
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.3.25
Severity Score: Low
The vulnerability is patched, so you should update to version 1.3.25.
18. Video Gallery – Vimeo and YouTube Gallery
Plugin: Video Gallery – Vimeo and YouTube Gallery
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.1.5
Severity Score: Low
The vulnerability is patched, so you should update to version 1.1.5.
19. WordPress Popular Posts
Plugin: WordPress Popular Posts
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.3.4
Severity Score: Low
The vulnerability is patched, so you should update to version 5.3.4.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.