WordPress Vulnerability Report – January 26, 2022
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of Low, Medium, High, or Critical.
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress 5.9: Core Major Version Update Now Available
WordPress 5.9 “Joséphine” was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this: Full Site Editing (FSE) using the WordPress block editor is here (well, if you want to use it or your theme supports it).
WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements and 100 bug fixes.
In this post, we unpack what’s new and noteworthy in WordPress 5.9 so you can get the most out of the latest version of WordPress.
You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
Anti-Malware Security and Brute-Force Firewall
- Plugin:
- Anti-Malware Security and Brute-Force Firewall
- Installations:
- 200,000+
- Vulnerability:
- Admin+ Reflected Cross-Site Scripting
- Patched in Version:
- 4.20.94
- Severity Score:
- Low
Popup Builder
- Plugin:
- Popup Builder – Create highly converting, mobile friendly marketing popups.
- Installations:
- 200,000+
- Vulnerability:
- <meta charset="utf-8">LFI to RCE<br>Admin+ SQL Injection
- Patched in Version:
- 4.0.7
- Severity Score:
- Critical
Ad Inserter
- Plugin:
- Ad Inserter – Ad Manager & AdSense Ads
- Installations:
- 200,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 2.7.10
- Severity Score:
- Medium
GiveWP
- Plugin:
- GiveWP – Donation Plugin and Fundraising Platform
- Installations:
- 100,000+
- Vulnerability:
- Unauthenticated Reflected Cross-Site Scripting; Reflected Cross-Site Scripting via Import Tool; Reflected Cross-Site Scripting via Donation Forms Dashboard
- Patched in Version:
- 2.17.3
- Severity Score:
- Medium
WordPress Download Manager
- Plugin:
- Download Manager
- Installations:
- 100,000+
- Vulnerability:
- Authenticated SQL Injection to Reflected XSS
- Patched in Version:
- 3.2.34
- Severity Score:
- Medium
Database Backup for WordPress
- Plugin:
- Database Backup for WordPress
- Installations:
- 100,000+
- Vulnerability:
- Admin+ SQL Injection
- Patched in Version:
- 2.5.1
- Severity Score:
- Medium
Advanced Database Cleaner
- Plugin:
- Advanced Database Cleaner
- Installations:
- 80,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 3.0.4
- Severity Score:
- Medium
Shield Security
- Plugin:
- Shield Security – Scanners, Security Hardening, Brute Force Protection & Firewall
- Installations:
- 60,000+
- Vulnerability:
- Admin+ Stored Cross-Site Scripting
- Patched in Version:
- 13.0.6
- Severity Score:
- Low
WOOCS
- Plugin:
- WOOCS – Currency Switcher for WooCommerce. Professional and Free multi currency plugin – Pay in selected currency
- Installations:
- 60,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 1.3.7.5
- Severity Score:
- Medium
Image Photo Gallery Final Tiles Grid
- Plugin:
- Image Photo Gallery Final Tiles Grid
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored Cross-Site Scripting
- Patched in Version:
- 3.5.3
- Severity Score:
- Medium
Classic Editor Addon
- Plugin:
- Classic Editor Addon
- Installations:
- 30,000+
- Vulnerability:
- Arbitrary Plugin Installation from Dependency via CSRF; Subscriber+ Arbitrary Plugin Activation
- Patched in Version:
- 2.6.4
- Severity Score:
- Low
Float Menu
- Plugin:
- Float menu – awesome floating side menu
- Installations:
- 20,000+
- Vulnerability:
- Arbitrary Menu Deletion via CSRF
- Patched in Version:
- 4.3.1
- Severity Score:
- Medium
FeedWordPress
- Plugin:
- FeedWordPress
- Installations:
- 20,000+
- Vulnerability:
- Reflected Cross-Site Scripting (XSS)
- Patched in Version:
- 2022.0123
- Severity Score:
- Medium
Catch Web Tools
- Plugin:
- Catch Web Tools
- Installations:
- 20,000+
- Vulnerability:
- Subscriber+ Arbitrary Catch IDs Activation/Deactivation
- Patched in Version:
- 2.7.1
- Severity Score:
- Medium
WP HTML Mail
- Plugin:
- WordPress Email Template Designer – WP HTML Mail
- Installations:
- 20,000+
- Vulnerability:
- Unprotected REST-API Endpoint
- Patched in Version:
- 3.1
- Severity Score:
- Medium
Coming soon and Maintenance mode
- Plugin:
- Coming soon and Maintenance mode
- Installations:
- 10,000+
- Vulnerability:
- Arbitrary Email Sending to Subscribed Users via CSRF; Subscriber+ Arbitrary Email Sending to Subscribed Users
- Patched in Version:
- 3.6.8
- Severity Score:
- Low
Duplicate Page or Post
- Plugin:
- Duplicate Page or Post
- Installations:
- 10,000+
- Vulnerability:
- Arbitrary Settings Update to Stored XSS
- Patched in Version:
- 1.5.1
- Severity Score:
- High
WP Debugging
- Plugin:
- WP Debugging
- Installations:
- 5,000+
- Vulnerability:
- Arbitrary Plugin Installation from Dependency via CSRF
- Patched in Version:
- 2.11.7
- Severity Score:
- Low
AnyComment
- Plugin:
- AnyComment
- Installations:
- 4,000+
- Vulnerability:
- Comment Rating Increase/Decrease via Race Condition; Arbitrary HyperComments Import/Revert via CSRF
- Patched in Version:
- 0.2.18
- Severity Score:
- Low
Ad Inserter
- Plugin:
- Ad Inserter Pro
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 2.7.10
- Severity Score:
- Medium
Five Star Business Profile and Schema
- Plugin:
- Five Star Business Profile and Schema
- Installations:
- 10,000+
- Vulnerability:
- Subscriber+ page creation and settings update leading to stored XSS
- Patched in Version:
- 2.1.9
- Severity Score:
- Medium
WordPress Plugin Vulnerabilities – No Known Fix
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure
The Buffer Button
- Plugin:
- The Buffer Button
- Vulnerability:
- Authenticated Stored Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
Translation Exchange
- Plugin:
- Translation Exchange – Translate Your WordPress Site In Minutes!
- Vulnerability:
- Authenticated Stored Cross-Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
Lean WP
- Plugin:
- Lean WP
- Vulnerability:
- Subscriber+ Arbitrary Plugin Activation
- Patched in Version:
- No Fix
- Severity Score:
- Medium
ProfileGrid
- Plugin:
- ProfileGrid – User Profiles, Memberships, Groups and Communities
- Vulnerability:
- Subscriber+ Stored Cross-Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- Medium
User Registration, Login & Landing Pages
- Plugin:
- User Registration, Login & Landing Pages – LeadMagic
- Vulnerability:
- Admin+ Stored Cross-Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- Medium
WordPress Theme Vulnerabilities
No new theme vulnerabilities were disclosed this week.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed