Updated: 16-01-22

WordPress Vulnerability News, January 2022

Agnes Talalaev
from patchstack

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list).

Keeping up to date with security vulnerabilities in WordPress and other CMS's is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the Patchstack security module. It means that if you use Patchstack, your site is safe from these vulnerabilities, but it's always strongly advised to update or delete vulnerable plugins from your site.

You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.

Login/Signup Popup ( Inline Form + Woocommerce )

A simple and lightweight plugin that makes the registration, login & reset password process smooth.

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update
Fixed in version: 2.3
Number of sites affected: 20,000+
CVSS 3.0 score: 8.8 (High)

Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update discovered by Chloe Chamberland (Wordfence) in WordPress Login/Signup Popup plugin (versions <= 2.2).

Update the WordPress Login/Signup Popup plugin to the latest available version (at least 2.3).

Side Cart Woocommerce (Ajax)

 With the side cart, users can access cart items from anywhere on your site.

Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 3.1
Number of sites affected: 60,000+
CVSS 3.0 score: 8.2 (High - Can be exploited remotely without any authentication.)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress WP HTML Mail plugin (versions <= 3.0.9).

Update the WordPress WP HTML Mail plugin to the latest available version (at least 3.1).

PHP Everywhere

This plugin enables PHP code everywhere in your WordPress installation.

Vulnerability: Remote Code Execution (RCE)
Fixed in version: 3.0.0
Number of sites affected: 30,000+
CVSS 3.0 score: 9.9 (Critical - Requires contributor or higher role user authentication.)

Remote Code Execution (RCE) vulnerability discovered by Ex.Mi (Patchstack) in WordPress PHP Everywhere plugin (versions <= 2.0.3).

Update the WordPress PHP Everywhere plugin to the latest available version (at least 3.0.0).

WooCommerce – Store Exporter

Export WooCommerce Products, Orders, Categories, Tags, Users, and other store details into Excel spreadsheets that suit your store requirements.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 2.7.1
Number of sites affected: 10,000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress WooCommerce – Store Exporter plugin (versions <= 2.7).

Update the WordPress WooCommerce – Store Exporter plugin to the latest available version (at least 2.7.1).

Translate WordPress with GTranslate

Translate WordPress with GTranslate plugin uses Google Translate automatic translation service to translate WordPress site with Google power and make it multilingual.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 2.9.7
Number of sites affected: 300,000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by JrXnm in WordPress GTranslate plugin (versions <= 2.9.6).

Update the WordPress GTranslate plugin to the latest available version (at least 2.9.7).

Paid Memberships Pro

Restrict content, manage member subscriptions with recurring payments. User registration, custom profile fields, and robust member management.

Vulnerability: Unauthenticated Blind SQL Injection (SQLi)
Fixed in version: 2.6.7
Number of sites affected: 100,000+
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Blind SQL Injection (SQLi) vulnerability discovered by Krzysztof Zając in WordPress Paid Memberships Pro (versions <= 2.6.6).

Update the WordPress Paid Memberships Pro to the latest available version (at least 2.6.7).

IP2Location Country Blocker

This plugin enables users to block unwanted traffic from accessing your frontend (blog pages) or backend (admin area) by countries or proxy servers.

Vulnerability: Arbitrary Country Ban via Cross-Site Request Forgery (CSRF)
Fixed in version: 2.26.6
Number of sites affected: 10,000+
CVSS 3.0 score: 7.1 (High)

Vulnerability: Arbitrary Country Ban by low privilege users
Fixed in version: 2.26.6
Number of sites affected: 10,000+
CVSS 3.0 score: 6.3 (Medium - Requires subscriber or higher role user authentication.)

Vulnerability: Ban Bypass vulnerability
Fixed in version: 2.26.5
Number of sites affected: 10,000+
CVSS 3.0 score: 5.3 (Medium)

Update the WordPress IP2Location Country Blocker plugin to the latest available version (at least 2.26.6).

Order Tracking – WordPress Status Tracking Plugin

Order tracking and status tracking software that allows you to quickly and easily manage the status of your orders, projects, shipments, or any other item.

Vulnerability: Cross-Site Request Forgery (CSRF) leading to Order, Customer and Sales Representative Deletion
Fixed in version: 3.0.17
Number of sites affected: 5,000+
CVSS 3.0 score: 7.1 (High)

Cross-Site Request Forgery (CSRF) leading to Order, Customer and Sales Representative Deletion discovered in WordPress Order Tracking plugin (versions <= 3.0.16).

Update the WordPress Order Tracking plugin to the latest available version (at least 3.0.17).

WordPress Core 5.8.3 security update

On the 6th of January 2022, WordPress.org released a security update and recommended users to “update your sites immediately”. This WordPress core 5.8.3 security update addresses 4 different security vulnerabilities which affect WordPress core versions between 3.7 and 5.8.

Read more about the vulnerabilities here.

SupportCandy – Helpdesk & Support Ticket System

This plugin adds a helpdesk ticket system to your WordPress site.

Vulnerability: Unauthenticated Arbitrary Ticket Deletion
Fixed in version: 2.2.5
Number of sites affected: 10,000+
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 2.2.7
Number of sites affected: 10,000+
CVSS 3.0 score: 6.1 (Medium)

Vulnerability: Arbitrary Ticket Deletion via Cross-Site Request Forgery (CSRF)
Fixed in version: 2.2.7
Number of sites affected: 10,000+
CVSS 3.0 score: 5.4 (Medium)

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)
Fixed in version: 2.2.7
Number of sites affected: 10,000+
CVSS 3.0 score: 6.1 (Medium)

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 2.2.7
Number of sites affected: 10,000+
CVSS 3.0 score: 4.8 (Medium - Requires contributor or higher role user authentication.)

Update the WordPress SupportCandy plugin to the latest available version (at least 2.2.7).

WebP Converter for Media – Convert WebP and AVIF & Optimize Images

Speed up your website by serving WebP and AVIF images.

Vulnerability: Unauthenticated Open redirect
Fixed in version: 4.0.3
Number of sites affected: 100,000+
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Open redirect vulnerability discovered by Krzysztof Zając in WordPress WebP Converter for Media plugin (versions <= 4.0.2).

Update the WordPress WebP Converter for Media plugin to the latest available version (at least 4.0.3).

NextScripts

This plugin automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+(Google Plus), and more.

Vulnerability: Post Deletion via Cross-Site Request Forgery (CSRF)
Fixed in version: 4.3.25
Number of sites affected: 90,000+
CVSS 3.0 score: 5.4 (Medium)

Post Deletion via Cross-Site Request Forgery (CSRF) vulnerability discovered by Krzysztof Zając in WordPress NextScripts plugin (versions <= 4.3.24).

Update the WordPress NextScripts plugin to the latest available version (at least 4.3.25).

Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 4.3.24
Number of sites affected: 90,000+
CVSS 3.0 score: 6.1 (Medium)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress NextScripts: Social Networks Auto-Poster plugin (versions <= 4.3.23).

Update the WordPress NextScripts: Social Networks Auto-Poster plugin to the latest available version (at least 4.3.24).

Ultimate FAQ – WordPress FAQ and Accordion Plugin

FAQ plugin for WordPress.

Vulnerability: Arbitrary FAQ Creation
Fixed in version: 2.1.2
Number of sites affected: 30,000+
CVSS 3.0 score: 4.3 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary FAQ Creation vulnerability discovered by Krzysztof Zając in WordPress Ultimate FAQ plugin (versions <= 2.1.1).

Update the WordPress Ultimate FAQ plugin to the latest available version (at least 2.1.2).

Code Snippets

Code Snippets is an easy, clean and simple way to run code snippets on your site.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 2.14.3
Number of sites affected: 600,000+
CVSS 3.0 score: 4.8 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress Code Snippets plugin (versions <= 2.14.2).

Update the WordPress Code Snippets plugin to the latest available version (at least 2.14.3).

TrustMate.io

TrustMate – Reviews for your shop and products at your WooCommerce site.

Vulnerability: Arbitrary Blog Option Update
Fixed in version: 1.7.1
Number of sites affected: 300+
CVSS 3.0 score: 7.1 (High - Requires subscriber or higher role user authentication.)

Arbitrary Blog Option Update vulnerability discovered by WPScanTeam in WordPress TrustMate.io – integracja z WooCommerce plugin (versions <= 1.7.0).

Update the WordPress TrustMate.io – integracja z WooCommerce plugin to the latest available version (at least 1.7.1).

Vulnerability: Arbitrary Plugin's Settings Update
Fixed in version: 1.8.12
Number of sites affected: 300+
CVSS 3.0 score: 5.4 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin's Settings Update vulnerability discovered by WPScanTeam in WordPress TrustMate.io – integracja z WooCommerce plugin (versions <= 1.8.11).

Update the WordPress TrustMate.io – integracja z WooCommerce plugin to the latest available version (at least 1.8.12).

Affiliates Manager

WP Affiliate Manager can help you manage an affiliate marketing program to drive more traffic and more sales to your store.

Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 2.9.0
Number of sites affected: 10 000+
CVSS 3.0 score: 6.1 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Affiliates Manager plugin (versions <= 2.8.9).

Update the WordPress Affiliates Manager plugin to the latest available version (at least 2.9.0).

Event Tickets

Manage tickets and RSVPs for free with Event Tickets, from the team behind the number one calendar on WordPress.

Vulnerability: Open Redirect
Fixed in version: 5.2.2
Number of sites affected: 40 000+
CVSS 3.0 score: 6.5 (Medium)

Open Redirect vulnerability discovered in WordPress Event Tickets plugin (versions <= 5.2.1).

Update the WordPress Event Tickets plugin to the latest available version (at least 5.2.2).

Simple Download Monitor

Simple Download Monitor plugin helps to manage digital downloads and monitor the number of downloads of files and documents.

Vulnerability: Multiple Cross-Site Request Forgery (CSRF)
Fixed in version: 3.9.9
Number of sites affected: 30 000+
CVSS 3.0 score: 6.3 (Medium)

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by apple502j in the WordPress Simple Download Monitor plugin (versions <= 3.9.8).

Update the WordPress Simple Download Monitor to the latest available version (at least 3.9.9).

Crisp Live Chat

Crisp Live Chat is a free chat for your website.

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)
Fixed in version: 0.32
Number of sites affected: 30 000+
CVSS 3.0 score: 8.8 (High)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by José Aguilera in WordPress Crisp Live Chat plugin (versions <= 0.31).

Update the WordPress Crisp Live Chat plugin to the latest available version (at least 0.32).

Image Hover Effects Ultimate

Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison, or Magnifier) is an Image hover effects gallery. 

Vulnerability: Unauthenticated Arbitrary Options Update leading to full website compromise
Fixed in version: 9.6.2
Number of sites affected: 20 000+
CVSS 3.0 score: 9.8 (Critical - Can be exploited remotely without any authentication.)

Unauthenticated Arbitrary Options Update leading to full website compromise discovered by mirphak aka John Castro (Pagely) in WordPress Image Hover Effects Ultimate plugin (versions <= 9.6.1).

Update the WordPress Image Hover Effects Ultimate plugin to the latest available version (at least 9.6.2)

All in One SEO

All in One SEO is a WordPress SEO plugin.

Vulnerability: Authenticated SQL Injection (SQLi)
Fixed in version: 4.1.5.3
Number of sites affected: 3+ million
CVSS 3.0 score: 7.7 (High - Requires subscriber or higher role user authentication if chained with CVE-2021-25036.)

Authenticated SQL Injection (SQLi) vulnerability discovered by Marc Montpas in WordPress All in One SEO plugin (versions <= 4.1.5.2).

Update the WordPress All in One SEO plugin to the latest available version (at least 4.1.5.3).

Vulnerability: Authenticated Privilege Escalation
Fixed in version: 4.1.5.3
Number of sites affected: 3+ million
CVSS 3.0 score: 9.9 (Critical - Requires subscriber or higher role user authentication.)

Authenticated Privilege Escalation vulnerability discovered by Marc Montpas in WordPress All in One SEO plugin (versions <= 4.1.5.2).

Update the WordPress All in One SEO plugin to the latest available version (at least 4.1.5.3).

The Plus Addons for Elementor PRO

Unlock a Faster Elementor Experience with Extra 120+ Powerful Widgets & Extensions for your next big idea.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 5.0.7
Number of sites affected: 50 000+
CVSS 3.0 score: 7.4 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by Nicolas Vidal from TEHTRIS in WordPress The Plus Addons for Elementor Pro premium plugin (versions <= 5.0.6).

Update the WordPress The Plus Addons for Elementor Pro premium plugin to the latest available version (at least 5.0.7).

True Ranker

Now you can enjoy for free with the only SEO App that gives you total control of your geolocated Google results with 100% real accuracy.

Vulnerability: Directory Traversal/Arbitrary File Read
Fixed in version: 2.2.4
Number of sites affected: 200+
CVSS 3.0 score: 7.5 (High - Can be exploited remotely without any authentication.)

Directory Traversal/Arbitrary File Read vulnerability discovered by p7e4 in WordPress True Ranker plugin (versions <= 2.2.2).

Update the WordPress True Ranker plugin to the latest available version (at least 2.2.4).

tarteaucitron.js – Cookies legislation & GDPR

tarteaucitron.js is a script to get in compliance with cookies and GDPR.

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)
Fixed in version: 1.6
Number of sites affected: 7 000+
CVSS 3.0 score: 6.1 (Medium)

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered by Julio Potier (SecuPress.me) in WordPress tarteaucitron.js – Cookies legislation & GDPR plugin (versions <= 1.5.4).

Update the WordPress tarteaucitron.js – Cookies legislation & GDPR plugin to the latest available version (at least 1.6).

RegistrationMagic

Create custom WordPress Registration Forms, allow secure user registration, accept payments, track submissions, manage users, analyze stats, assign user roles, automate processes, send bulk emails and much more. 

Vulnerability: Authentication Bypass vulnerability
Fixed in version: 5.0.1.8
Number of sites affected: 10 000+
CVSS 3.0 score: 9.8 (Critical - Can be exploited remotely without any authentication.)

Authentication Bypass vulnerability discovered by Marco Wotschka and Chloe Chamberland in WordPress RegistrationMagic plugin (versions <= 5.0.1.7).

Update the WordPress RegistrationMagic plugin to the latest available version (at least 5.0.1.8).

10Web Social Photo Feed

10Web Social Photo Feed for Instagram is the leading plugin for easily presenting a customizable Instagram feed on your website.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 1.4.29
Number of sites affected: 60 000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress 10Web Social Photo Feed plugin (versions <= 1.4.28).

Update the WordPress 10Web Social Photo Feed plugin to the latest available version (at least 1.4.29).

WC Marketplace

WC Marketplace provides you with the best marketplace software, you can get, to kickstart your own virtual eCommerce marketplace. 

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 3.8.5
Number of sites affected: 10 000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress WC Marketplace plugin (versions <= 3.8.4).

Update the WordPress WC Marketplace plugin to the latest available version (at least 3.8.5).

Site Reviews

Site Reviews allows your visitors to submit reviews with a 1-5 star rating on your website, similar to the way you would on TripAdvisor or Yelp.

Vulnerability: Unauthenticated Settings Change
Fixed in version: 5.17.3
Number of sites affected: 40 000+
CVSS 3.0 score: 6.1 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress Site Reviews plugin (versions <= 5.17.2).

Update the WordPress Site Reviews plugin to the latest available version (at least 5.17.3).

PublishPress Capabilities

PublishPress Capabilities gives you control over all the permissions on your WordPress site.

Vulnerability: Unauthenticated Settings Change
Fixed in version: 2.3.1
Number of sites affected: 100 000+
CVSS 3.0 score: 8.2 (High - Can be exploited remotely without any authentication.)

Unauthenticated Settings Change vulnerability discovered by Krzysztof Zając in WordPress PublishPress Capabilities plugin (versions <= 2.3).

Update the WordPress PublishPress Capabilities plugin to the latest available version (at least 2.3.1).

WP Coder – add custom html, css and js code

WP Coder – plugin for adding custom code to the site. You can easily add HTML CSS JS code to the page of your site.

Vulnerability: Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF
Fixed in version: 2.5.2
Number of sites affected: 10 000+
CVSS 3.0 score: 7.2 (High)

Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability discovered by Krzysztof Zając in WordPress WP Coder plugin (versions <= 2.5.1).

Update the WordPress WP Coder plugin to the latest available version (at least 2.5.2).

Modal Window – create popup modal window

Use the free WordPress popup plugin “Modal Window” to quickly and easily create informative popups.

Vulnerability: Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF  Traversal
Fixed in version: 5.2.2
Number of sites affected: 10 000+
CVSS 3.0 score: 7.2 (High)

Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability discovered by Krzysztof Zając in WordPress Modal Window plugin (versions <= 5.2.1).

Update the WordPress Modal Window plugin to the latest available version (at least 5.2.2).

CAOS | Host Google Analytics Locally

CAOS (Complete Analytics Optimization Suite) for Google Analytics allows you to host analytics.js/gtag.js locally and keep it updated using WordPress’ built-in Cron-schedule.

Vulnerability: Arbitrary Folder Deletion via Path Traversal
Fixed in version: 4.1.9
Number of sites affected: 20 000+
CVSS 3.0 score: 6.5 (Medium - Requires high role user authentication like admin.)

Arbitrary Folder Deletion via Path Traversal vulnerability discovered by José Aguilera in WordPress CAOS | Host Google Analytics Locally plugin (versions <= 4.1.8).

Update the WordPress CAOS | Host Google Analytics Locally plugin to the latest available version (at least 4.1.9).

OMGF | Host Google Fonts Locally

Leverage Browser Cache, Minimize DNS requests, reduce Cumulative Layout Shift and serve your Google Fonts in a 100% GDPR compliant way with OMGF.

Vulnerability: Arbitrary Folder Deletion via Path Traversal
Fixed in version: 4.5.12
Number of sites affected: 40 000+
CVSS 3.0 score: 6.5 (Medium - Requires high role user authentication like admin.)

Arbitrary Folder Deletion via Path Traversal vulnerability discovered by José Aguilera in WordPress OMGF | Host Google Fonts Locally plugin (versions <= 4.5.11).

Update the WordPress OMGF | Host Google Fonts Locally plugin to the latest available version (at least 4.5.12).

Variation Swatches for WooCommerce

Variation Swatches for WooCommerce plugin provides a much nicer way to display variations of variable products.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 2.1.2
Number of sites affected: 80 000+
CVSS 3.0 score: 6.1 (Medium - Requires subscriber, customer or higher role user authentication.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Chloe Chamberland (WordFence) in WordPress Variation Swatches for WooCommerce plugin (versions <= 2.1.1).

Update the WordPress Variation Swatches for WooCommerce plugin to the latest available version (at least 2.1.2).

LiteSpeed Cache

LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features.

Vulnerability: IP Check Bypass to Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 4.4.4
Number of sites affected: 2+ million
CVSS 3.0 score: 6.1 (Medium)

IP Check Bypass to Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Emil Kylander in WordPress LiteSpeed Cache plugin (versions <= 4.4.3).

Update the WordPress LiteSpeed Cache plugin to the latest available version (at least 4.4.4).

Contact Form & Lead Form Elementor Builder

Lead Form Builder Plugin is a contact form builder as well as lead generator.

Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 1.6.4
Number of sites affected: 20 000+
CVSS 3.0 score: 6.1 (Medium)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress Contact Form & Lead Form Elementor Builder plugin (versions <= 1.6.3).

Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version (at least 1.6.4).

Awesome Support – WordPress HelpDesk & Support Plugin

Awesome Support is a support plugin for WordPress. 

Vulnerability: Awesome Support
Fixed in version: 6.0.7
Number of sites affected: 10 000+
CVSS 3.0 score: 6.1 (Medium)

Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities were discovered by Ex.Mi in WordPress Awesome Support plugin (versions <= 6.0.6).

Update the WordPress Awesome Support plugin to the latest available version (at least 6.0.7).

WordPress core

Vulnerability: Plugin Confusion
Fixed in version: 5.8
Number of sites affected: N/A
CVSS 3.0 score: 8.1 (High)

Plugin Confusion vulnerability discovered by Kamil Vavra in WordPress (versions <= 5.7.4).

Update WordPress to the latest available version (at least 5.8 or other patched version).

Hide My WP - Amazing Security Plugin for WordPress!

Hide My WP is a plugin for WordPress. 

Vulnerability: Unauthenticated Plugin Deactivation
Fixed in version: 6.2.4
Number of sites affected: 20 000+
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Vulnerability: Unauthenticated SQL injection (SQLi) 
Fixed in version: 6.2.4
Number of sites affected: 20 000+
CVSS 3.0 score: 8.6 (High - Can be exploited remotely without any authentication.)

Multiple vulnerabilities discovered by Dave Jong in WordPress Hide My WP premium plugin (versions <= 6.2.3).

Update the WordPress Hide My WP premium plugin to the latest available version (at least 6.2.4).

Everest Forms

Everest Forms is the best WordPress form builder, meticulously designed by our team of experts to take your form-building experience to the next level.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 1.8.0
Number of sites affected: 100 000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by JrXnm in WordPress Everest Forms plugin (versions <= 1.7.9).

Update the WordPress Everest Forms plugin to the latest available version (at least 1.8.0).

WCFM Marketplace

WooCommerce Multivendor Marketplace (WCFM Marketplace) is the best free front end multi-vendor marketplace plugin on WordPress, powered by WooCommerce.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 3.4.12
Number of sites affected: 30 000+
CVSS 3.0 score: 7.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by JrXnm in WordPress WCFM Marketplace plugin (versions <= 3.4.11).

Update the WordPress WCFM Marketplace plugin to the latest available version (at least 3.4.12).

WP Visitor Statistics (Real Time Traffic)

A comprehensive plugin for your WordPress visitor statistics, Track statistics for your WordPress site without depending on external services.

Vulnerability: SQL Injection (SQLi)
Fixed in version: 4.8
Number of sites affected: 20 000+
CVSS 3.0 score: 6.3 (Medium - Requires subscriber or higher role user authentication.)

SQL Injection (SQLi) vulnerability discovered by Krzysztof Zając in WordPress WP Visitor Statistics (Real Time Traffic) plugin (versions <= 4.7).

Update the WordPress WP Visitor Statistics (Real Time Traffic) plugin to the latest available version (at least 4.8).

Login/Signup Popup ( Inline Form + Woocommerce )

A simple and lightweight plugin which makes registration, login & reset password process super smooth.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 2.2
Number of sites affected: 20 000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress Login/Signup Popup plugin (versions <= 2.1).

Update the WordPress Login/Signup Popup plugin to the latest available version (at least 2.2).

SportsPress – Sports Club & League Manager

Transform your WordPress blog into a fully configurable team, club, or league website.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 2.7.9
Number of sites affected: 20 000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by iohex in WordPress SportsPress – Sports Club & League Manager plugin (versions <= 2.7.8).

Update the WordPress SportsPress – Sports Club & League Manager plugin to the latest available version (at least 2.7.9).

Stop Bad Bots

WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 6.67
Number of sites affected: 10 000+
CVSS 3.0 score: 7.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by JrXnm in WordPress StopBadBots plugin (versions <= 6.66).

Update the WordPress StopBadBots plugin to the latest available version (at least 6.67)

Temporary Login Without Password

Create secure, self-expiring automatic login links for WordPress.

Vulnerability: Unauthorized Plugin's Settings Update
Fixed in version: 1.7.1
Number of sites affected: 40 000+
CVSS 3.0 score: 5.4 (Medium - Requires subscriber or higher role user authentication.)

Unauthorized Plugin's Settings Update vulnerability discovered by apple502j in WordPress Temporary Login Without Password plugin (versions <= 1.7.0).

Update the WordPress Temporary Login Without Password plugin to the latest available version (at least 1.7.1).

WPO365

With WPO365 | LOGIN users can sign in with their corporate or school (Azure AD / Microsoft Office 365) account to access your WordPress website.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 15.4
Number of sites affected: 4 000+
CVSS 3.0 score: 9.3 (Critical)

Stored Cross-Site Scripting (XSS) vulnerability discovered by AppCheck in WordPress WPO365 plugin (versions <= 15.3).

Update the WordPress WPO365 plugin to the latest available version (at least 15.4).

Starter Templates — Elementor, Gutenberg & Beaver Builder Templates

Create professionally designed pixel-perfect websites in minutes with the Starter Templates plugin.

Vulnerability: Authenticated Block Import leading to Stored Cross-Site Scripting (XSS)
Fixed in version: 2.7.1
Number of sites affected: 1+ million
CVSS 3.0 score: 7.6 (High - Requires contributor or higher role user authentication.)

Authenticated Block Import leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by Ramuel Gall in WordPress Starter Templates plugin (versions <= 2.7.0).

Update the WordPress Starter Templates plugin to the latest available version (at least 2.7.1).

WP Reset PRO Premium

Speed up site deployment, testing & recovery by controlling, resetting & restoring the WordPress environment in one click.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version: 5.99
Number of sites affected: 400 000+
CVSS 3.0 score: 8.8 (High)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Dave Jong (Patchstack) in WordPress WP Reset PRO premium plugin (versions <= 5.98).

Update the WordPress WP Reset PRO premium plugin to the latest available version (at least v5.99).

WordPress core

Vulnerability: Expired DST Root CA X3 Certificate issue 
Fixed in version: 5.8.2
Number of sites affected: N/A

Expired DST Root CA X3 Certificate issue discovered by Bradley Taylor in WordPress core (versions <= 5.8.1).

Secure Copy Content Protection and Content Locking

Secure Copy Content Protection is a plugin aimed at protecting web content from being plagiarized.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 2.8.2
Number of sites affected: 10 000+
CVSS 3.0 score: 7.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by Krzysztof Zając in WordPress Secure Copy Content Protection and Content Locking plugin (versions <= 2.8.1).

Update the WordPress Secure Copy Content Protection and Content Locking plugin to the latest available version (at least 2.8.2).

Tawk.To Live Chat

Monitor and chat with visitors on your WordPress site.

Vulnerability: Visitor Monitoring & Chat Removal
Fixed in version: 0.6.0
Number of sites affected: 200 000+
CVSS 3.0 score: 5.4 (Medium - Requires subscriber or higher role user authentication.)

Visitor Monitoring & Chat Removal vulnerability discovered by Quentin VILLAIN (3wsec) in WordPress Tawk.To Live Chat plugin (versions <= 0.5.5).

Update the WordPress Tawk.To Live Chat plugin to the latest available version (at least 0.6.0).

Registrations for the Events Calendar

Collect and manage event registrations with a customizable form and email template. 

Vulnerability: SQL Injection (SQLi)
Fixed in version: 2.7.6
Number of sites affected: 10 000+
CVSS 3.0 score: 7.3 (High - Can be exploited remotely without any authentication.)

SQL Injection (SQLi) vulnerability discovered by Krzysztof Zając in WordPress Registrations for the Events Calendar plugin (versions <= 2.7.5).

Update the WordPress Registrations for the Events Calendar plugin to the latest available version (at least 2.7.6).

WP Google Fonts

The WP Google Font plugin makes it even easier to use Google’s free service to add high-quality fonts to your WordPress-powered site. 

Vulnerability: Unauthenticated Arbitrary Post Deletion
Fixed in version: 3.1.5
Number of sites affected: 80 000+
CVSS 3.0 score: 6.8 (Medium - Can be exploited by any authenticated user.)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by JrXnm in WordPress WP Google Fonts plugin (versions <= 3.1.4).

Update the WordPress WP Google Fonts plugin to the latest available version (at least 3.1.5).

WP DSGVO Tools (GDPR)

WordPress GDPR plugin.

Vulnerability: Unauthenticated Arbitrary Post Deletion
Fixed in version: 3.1.23
Number of sites affected: 30 000+
CVSS 3.0 score: 7.5 (High - Can be exploited remotely without any authentication.)

Unauthenticated Arbitrary Post Deletion vulnerability discovered by Ramuel Gall (WordFence) in WordPress WP DSGVO Tools (GDPR) plugin (versions <= 3.1.22).

Update the WordPress WP DSGVO Tools (GDPR) plugin to the latest available version (at least 3.1.24).

My Calendar

My Calendar does WordPress event management with richly customizable ways to display events. 

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 3.2.18
Number of sites affected: 30 000+
CVSS 3.0 score: 6.8 (Medium - Requires any authenticated user.)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress My Calendar plugin (versions <= 3.2.17).

Update the WordPress My Calendar plugin to the latest available version (at least 3.2.18).

Easy Google Maps

Create Easy Google Maps in a minute with the Easy Google Maps WordPress plugin.

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS) 
Fixed in version: 1.10.1
Number of sites affected: 40 000+
CVSS 3.0 score: 5.5 (Medium - Requires high role user authentication like admin.)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Thinkland Security Team in WordPress Easy Google Maps plugin (versions <= 1.9.33).

Update the WordPress Easy Google Maps plugin to the latest available version (at least 1.10.1).

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin

myCred is a points management system that allows you to build and manage a broad range of digital rewards including points, ranks and, badges on your WordPress/WooCommerce powered website.

Vulnerability: SQL Injection (SQLi)
Fixed in version: 2.3
Number of sites affected: 20 000+
CVSS 3.0 score: 6.3 (Medium - Requires subscriber or higher role user authentication.)

SQL Injection (SQLi) vulnerability discovered by bl4derunner in WordPress myCred plugin (versions <= 2.2).

Update the WordPress myCred plugin to the latest available version (at least 2.3).

Smash Balloon Social Post Feed

Display Facebook posts on your WordPress site. 

Vulnerability: Stored Cross-Site Scripting (XSS) via Arbitrary Setting Update
Fixed in version: 4.0.1
Number of sites affected: 200 000+
CVSS 3.0 score: 7.3 (High - Can be exploited by any authenticated user.)

Stored Cross-Site Scripting (XSS) via Arbitrary Setting Update vulnerability discovered by Marc Montpas (JetPack Security Team) in WordPress Smash Balloon Social Post Feed plugin (versions <= 4.0).

Update the WordPress Smash Balloon Social Post Feed plugin to the latest available version (at least 4.0.1).

NextScripts: Social Networks Auto-Poster

This plugin automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger, Tumblr, and more.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 4.3.21
Number of sites affected: 90 000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Ramuel Gall (WordFence) in WordPress NextScripts: Social Networks Auto-Poster plugin (versions <= 4.3.20).

Update the WordPress NextScripts: Social Networks Auto-Poster plugin to the latest available version (at least 4.3.21).

WPS Hide Login

WPS Hide Login is a very light plugin that lets you easily and safely change the URL of the login form page to anything you want. 

Vulnerability: Protection Bypass with Referer-Header
Fixed in version: 1.9.1
Number of sites affected: 1+ million
CVSS 3.0 score: 5.3 (Medium - Can be exploited remotely without any authentication.)

Protection Bypass with Referer-Header vulnerability discovered by Daniel Ruf in WordPress WPS Hide Login plugin (versions <= 1.9).

Update the WordPress WPS Hide Login plugin to the latest available version (at least 1.9.1).

OptinMonster

OptinMonster is a popup builder and marketing plugin that helps you get email subscribers, increase sales, and grow your business.

Vulnerability: Unprotected REST-API to Sensitive Information Disclosure and Unauthorized API access
Fixed in version: 2.6.5
Number of sites affected: 1+ million
CVSS 3.0 score: 7.2 (High - Can be exploited remotely without any authentication.)

Unprotected REST-API to Sensitive Information Disclosure and Unauthorized API access vulnerability discovered by Chloe Chamberland (WordFence) in WordPress OptinMonster plugin (versions <= 2.6.4).

Update the WordPress OptinMonster plugin to the latest available version (at least 2.6.5).

HashThemes Demo Importer

HashThemes Demo Importer imports the full demo with just one click.

Vulnerability: Improper Access Control allowing content deletion
Fixed in version: 1.1.2
Number of sites affected: 8 000+
CVSS 3.0 score: 8.1 (High - Possible with low privilege user role like Subscriber.)

Improper Access Control allowing content deletion vulnerability discovered by Ramuel Gall (WordFence) in WordPress HashThemes Demo Importer plugin (versions <= 1.1.1).

Update the WordPress HashThemes Demo Importer plugin to the latest available version (at least 1.1.2).

eCommerce Product Catalog Plugin for WordPress

eCommerce Product Catalog is a free product catalog plugin for WordPress eCommerce or a simple product catalog website with a request for a quote functionality.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 3.0.39
Number of sites affected: 10 000+
CVSS 3.0 score: 7.4 (High)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by JrXnm in WordPress eCommerce Product Catalog plugin (versions <= 3.0.38).

Update the WordPress eCommerce Product Catalog plugin to the latest available version (at least 3.0.39).

Popup Anything – A Marketing Popup

Popup Anything is a marketing plugin that helps you get email subscribers.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 2.0.4
Number of sites affected: 50 000+
CVSS 3.0 score: 6.9 (Medium - Requires contributor or higher role user authentication.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vishnupriya Ilango in WordPress Popup Anything plugin (versions <= 2.0.3).

Update the WordPress Popup Anything plugin to the latest available version (at least 2.0.4).

Simple Job Board

Simple Job Board by PressTigers is an easy, lightweight plugin that adds a job board to your WordPress website.

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 2.9.5
Number of sites affected: 20 000+
CVSS 3.0 score: 5.4 (Medium - Requires high privilege user authentication like admin.)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Thinkland Security Team in WordPress Simple Job Board plugin (versions <= 2.9.4).

Update the WordPress Simple Job Board plugin to the latest available version (at least 2.9.5).

Registration Forms

A User Registration form plugin to help you create a registration form in minutes, with a simple drag and drop builder.

Vulnerability: Open Redirect
Fixed in version: 3.7.2.4
Number of sites affected: 5 000+
CVSS 3.0 score: 5.3 (Medium)

Open Redirect vulnerability discovered by WPScanTeam in WordPress Pie Register plugin (versions <= 3.7.2.3).

Update the WordPress Pie Register plugin to the latest available version (at least 3.7.2.4).

Catch Themes Demo Import

Catch Themes Demo Import is a demo importer WordPress plugin that lets you import the demo you desire.

Vulnerability: Arbitrary File Upload
Fixed in version: 1.8
Number of sites affected: 10 000+
CVSS 3.0 score: 7.2 (High - Requires high privilege user authentication like admin.)

Arbitrary File Upload vulnerability discovered by Thinkland Security Team in WordPress Catch Themes Demo Import plugin (versions <= 1.7).

Update the WordPress Catch Themes Demo Import plugin to the latest available version (at least 1.8).

LearnPress 

LearnPress is a comprehensive WordPress LMS Plugin for WordPress.

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 4.1.3.2
Number of sites affected: 100 000+
CVSS 3.0 score: 5.5 (Medium - Requires high privilege user authentication like admin.)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Thinkland Security Team in WordPress LearnPress plugin (versions <= 4.1.3.1).

Update the WordPress LearnPress plugin to the latest available version (at least 4.1.3.2).

Sassy Social Share

Sassy Social Share enables your website users to share the content over Facebook, Twitter, Google, Linkedin, Whatsapp, Tumblr, Pinterest, Reddit, Parler, Gab, and over 100 more social sharing and bookmarking services.

Vulnerability: Missing Authorization Controls to PHP Object Injection
Fixed in version: 3.3.24
Number of sites affected: 100 000+
CVSS 3.0 score: 6.3 (Medium - Possible with a subscriber or higher role user.)

Missing Authorization Controls to PHP Object Injection vulnerability discovered by Chloe Chamberland (WordFence) in WordPress Sassy Social Share plugin (versions <= 3.3.23).

Update the WordPress Sassy Social Share plugin to the latest available version (at least 3.3.24).

WP Fastest Cache

Cache plugin for WordPress.

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)
Fixed in version: 0.9.5
Number of sites affected: 1+ million
CVSS 3.0 score: 9.6 (Critical)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Marc Montpas (Jetpack Scan team) in WordPress WP Fastest Cache plugin (versions <= 0.9.4).

Update the WordPress WP Fastest Cache plugin to the latest available version (at least 0.9.5).

Vulnerability: Authenticated SQL Injection (SQLi)
Fixed in version: 0.9.5
Number of sites affected: 1+ million
CVSS 3.0 score: 7.7 (High - Possible with any logged-in user.)

Authenticated SQL Injection (SQLi) vulnerability discovered by Marc Montpas (Jetpack Scan team) in WordPress WP Fastest Cache plugin (versions <= 0.9.4).

Update the WordPress WP Fastest Cache plugin to the latest available version (at least 0.9.5).

Brizy – Page Builder

Brizy is a page builder for WordPress.

Vulnerability: Authenticated File Upload and Path Traversal
Fixed in version: 2.3.12
Number of sites affected: 90 000+
CVSS 3.0 score: 8.8 (High - Possible with a subscriber or higher role user.)

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 2.3.12
Number of sites affected: 90 000+
CVSS 3.0 score: 6.4 (Medium - Possible with a subscriber or higher role user.)

Vulnerability: Incorrect authorization checks allowing Post modification
Fixed in version: 2.3.12
Number of sites affected: 90 000+
CVSS 3.0 score: 7.1 (High - Possible with a subscriber or higher role user.)

Multiple vulnerabilities were discovered by Ramuel Gall (WordFence) in WordPress Brizy – Page Builder plugin (versions <= 2.3.11).

Update the WordPress Brizy – Page Builder plugin to the latest available version (at least 2.3.12).

Asgaros Forum

Asgaros Forum is a WordPress plugin to extend your website with a discussion board.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 1.15.13
Number of sites affected: 20 000+
CVSS 3.0 score: 8.6 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by JrXnm in WordPress Asgaros Forum plugin (versions <= 1.15.12).

Update the WordPress Asgaros Forum plugin to the latest available version (at least 1.15.13).

WPSchoolPress

WPSchoolPress plugin is a school management plugin.

Vulnerability: Multiple Authenticated SQL Injections (SQLi)
Fixed in version: 2.1.10
Number of sites affected: 2 000+
CVSS 3.0 score: 8.8 (High - Possible with low privileges user roles like subscriber, or custom low privilege users like students.)

Multiple Authenticated SQL Injections (SQLi) vulnerabilities discovered by JrXnm in WordPress WPSchoolPress plugin (versions <= 2.1.9).

Update the WordPress WPSchoolPress plugin to the latest available version (at least 2.1.10).

Loco Translate

Loco Translate provides in-browser editing of WordPress translation files and integration with automatic translation services.

Vulnerability: Authenticated PHP Code Injection
Fixed in version: 2.5.4
Number of sites affected: 1+ million
CVSS 3.0 score: 7.2 (High - Requires translator (custom plugin role).)

Authenticated PHP Code Injection vulnerability discovered by Tomi Ashari in WordPress Loco Translate plugin (versions <= 2.5.3).

Update the WordPress Loco Translate plugin to the latest available version (at least 2.5.4).

WP Simple Booking Calendar

Keep track of your bookings.

Vulnerability: Command injection vulnerability in the Lodash library in WordPress core 
Fixed in version: 2.0.7
Number of sites affected: 10 000+
CVSS 3.0 score: 6 (medium - requires high privilege user authentication like admin)

Authenticated SQL Injection (SQLi) vulnerability discovered by Martin Vierula (Trustwave) in WordPress WP Simple Booking Calendar plugin (versions <= 2.0.6).

Update the WordPress WP Simple Booking Calendar plugin to the latest available version (at least 2.0.7).

WordPress core

WordPress is open source software you can use to create a beautiful website, blog, or app.

Vulnerability: Command injection vulnerability in the Lodash library in WordPress core 
Fixed in version: 5.8.1
Number of sites affected: N/A
CVSS 3.0 score: 7.2 (high)

Command injection vulnerability in the Lodash library in WordPress core (versions <= 5.8). Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7.

Update the WordPress core to the latest available version (at least 5.8.1).

Vulnerability: Data Exposure via REST API vulnerability
Fixed in version: 5.8.1
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Data Exposure via REST API vulnerability discovered by Michael Adams in WordPress core (versions <= 5.8). Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7.

Update the WordPress core to the latest available version (at least 5.8.1).

Vulnerability: Authenticated Cross-Site Scripting (XSS)
Fixed in version: 5.8.1
Number of sites affected: N/A
CVSS 3.0 score: 7.6 (high - requires a user with contributor or author role)

Authenticated Cross-Site Scripting (XSS) vulnerability discovered by Michal Bentkowski (Securitum) in WordPress core block editor (versions <= 5.8). The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have permission to post unfiltered_html. Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7.

Update the WordPress to the latest available version (at least 5.8.1).

WordPress Automatic Plugin

WordPress Automatic Plugin posts from almost any website to WordPress automatically.

Vulnerability: Unauthenticated Arbitrary WordPress Options Change
Fixed in version: 3.53.3
Number of sites affected: 26 000+
CVSS 3.0 score: 9.8 (critical - can be exploited remotely without any authentication)

Unauthenticated Arbitrary WordPress Options Change vulnerability discovered by Jerome Bruandet in WordPress Automatic premium plugin (versions <= 3.53.2).

Update the WordPress Automatic premium plugin to the latest available version (at least 3.53.3).

Easy Social Icons

You can upload your own social icon or font-awesome social icons, set your social URL, choose whether you want to display vertically or horizontally, left or right or center-aligned, icon width height or margins.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 3.0.9
Number of sites affected: 40 000+
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Ram Gall (WordFence) in WordPress Easy Social Icons plugin (versions <= 3.0.8).

Update the WordPress Easy Social Icons plugin to the latest available version (at least 3.0.9).

Gutenberg Template Library & Redux Framework

Library of WordPress blocks and templates for Gutenberg.

Vulnerability: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Fixed in version: 4.2.13
Number of sites affected: 1+ million
CVSS 3.0 score: 7.1 (high - requires contributor or higher user role)

Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion vulnerability discovered by Ramuel Gall (WordFence) in WordPress Redux Framework plugin (versions <= 4.2.11).

Update the WordPress Redux Framework plugin to the latest available version (at least 4.2.13).

WP Video Lightbox

The WordPress Video Lightbox plugin allows you to embed videos on a page using a lightbox overlay display.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 1.9.3
Number of sites affected: 60 000+
CVSS 3.0 score: 5.4 (medium - requires user with contributor or higher role)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vishnupriya Ilango (Fortinet Fortiguard Labs) in WordPress WP Video Lightbox plugin (versions <= 1.9.2).

Update the WordPress WP Video Lightbox plugin to the latest available version (at least 1.9.3).

underConstruction

Creates a ‘Coming Soon’ page that will show for all users who are not logged in. 

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 1.19
Number of sites affected: 80 000+
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Ram Gall (WordFence) in WordPress underConstruction plugin (versions <= 1.18).

Update the WordPress underConstruction plugin to the latest available version (at least 1.19).

WooCommerce Dynamic Pricing & Discounts

WooCommerce Dynamic Pricing & Discounts is an all-purpose pricing and promotion tool for online retailers.

Vulnerability: Unauthenticated Settings Export
Fixed in version: 2.4.2
Number of sites affected: 19 000+
CVSS 3.0 score: 5.3 (medium - can be exploited remotely without any authentication)

Unauthenticated Settings Export vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WooCommerce Dynamic Pricing & Discounts premium plugin (versions <= 2.4.1).

Update the WordPress WooCommerce Dynamic Pricing & Discounts premium plugin to the latest available version (at least 2.4.2).

Vulnerability: Unauthenticated Settings Import and Stored XSS
Fixed in version: 2.4.2
Number of sites affected: 19 000+
CVSS 3.0 score: 7.1 (high - can be exploited remotely without any authentication)

Unauthenticated Settings Import and Stored XSS vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WooCommerce Dynamic Pricing & Discounts premium plugin (versions <= 2.4.1).

Update the WordPress WooCommerce Dynamic Pricing & Discounts premium plugin to the latest available version (at least 2.4.2).

Advanced Custom Fields

Advanced Custom Fields turns WordPress sites into a fully-fledged content management system by giving you all the tools to do more with your data.

Vulnerability: Arbitrary ACF Data/Field Groups View and Fields Move
Fixed in version: 5.10
Number of sites affected: 1+ million
CVSS 3.0 score: 5.4 (medium - possible with a subscriber or higher role user)

Arbitrary ACF Data/Field Groups View and Fields Move vulnerability discovered by Keitaro Yamazaki in WordPress Advanced Custom Fields plugin (versions <= 5.9.9).

Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 5.10).

Booster for WooCommerce

Add customized functionality to your WooCommerce business with more than one hundred modules. 

Vulnerability: Authentication Bypass
Fixed in version:
5.4.4
Number of sites affected: 80 000+
CVSS 3.0 score: 9.8 (critical)

Authentication Bypass vulnerability discovered by Chloe Chamberland (WordFence) in WordPress Booster for WooCommerce plugin (versions <= 5.4.3).

Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.4.4).

Real Media Library Lite

Real Media Library helps you with media management. 

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
4.14.2
Number of sites affected: 40 000+
CVSS 3.0 score: 6.4 (medium - possible only with author role user)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Thinkland Security Team in WordPress Real Media Library Lite plugin (versions <= 4.14.1).

Update the WordPress Real Media Library Lite plugin to the latest available version (at least 4.14.2).

Nested Pages

Provides a simple & intuitive drag and drop interface for managing your page structure and post ordering.

Vulnerability: Open Redirect
Fixed in version:
3.1.16
Number of sites affected: 80 000+
CVSS 3.0 score: 4.7 (medium)

Open Redirect vulnerability discovered by Ram Gall (WordFence) in WordPress Nested Pages plugin (versions <= 3.1.15).

Update the WordPress Nested Pages plugin to the latest available version (at least 3.1.16).

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
3.1.16
Number of sites affected: 80 000+
CVSS 3.0 score: 7.1 (high)

Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Post Deletion and Modification discovered by Ram Gall (WordFence) in WordPress Nested Pages plugin (versions <= 3.1.15).

Update the WordPress Nested Pages plugin to the latest available version (at least 3.1.16).

Simple Social Buttons

WordPress Vulnerability News

Simple Social Buttons adds options like Sidebar, inline, above and below the content of the post, on photos, popups, and more.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
3.2.3
Number of sites affected: 40 000+
CVSS 3.0 score: 5.4 (medium - requires contributor or higher user role)

Stored Cross-Site Scripting (XSS) vulnerability discovered by apple502j in WordPress Simple Social Media Share Buttons plugin (versions <= 3.2.2).

Update the WordPress Simple Social Media Share Buttons plugin to the latest available version (at least 3.2.3).

GiveWP – Donation Plugin and Fundraising Platform

WordPress Vulnerability News

GiveWP is a donation plugin for WordPress. 

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
2.12.0
Number of sites affected: 100 000+
CVSS 3.0 score: 4.8 (medium)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas in WordPress GiveWP plugin (versions <= 2.11.3).

Update the WordPress GiveWP plugin to the latest available version (at least 2.12.0).

Charitable – Donation Plugin

charitable vulnerability in plugin

With Charitable, you can create fundraising campaigns.

Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
1.6.51
Number of sites affected: 10 000+
CVSS 3.0 score: 6.1 (medium)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Eric Daams in WordPress Charitable plugin (versions <= 1.6.50).

Update the WordPress Charitable plugin to the latest available version (at least 1.6.51).

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
1.6.51
Number of sites affected: 10 000+
CVSS 3.0 score: 5.4 (medium)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Muhammad Daffa in WordPress Charitable plugin (versions <= 1.6.50).

Update the WordPress Charitable plugin to the latest available version (at least 1.6.51).

SEOPress, on-site SEO

SEOPress, on-site SEO WordPress Vulnerability News

SEOPress is a WordPress SEO plugin to optimize your SEO.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
5.0.4
Number of sites affected: 100 000+
CVSS 3.0 score: 6.4 (medium)

Stored Cross-Site Scripting (XSS) vulnerability via REST-API discovered by Chloe Chamberland (WordFence) in WordPress SEOPress, on-site SEO plugin (versions 5.0.0 – 5.0.3).

Update the WordPress SEOPress, on-site SEO plugin to the latest available version (at least 5.0.4).

WordPress Vulnerability News - Conclusion

See the full list of vulnerabilities here.

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily.

Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated.

To be able to fight back, you have a small time window to take action. In such cases, the virtual patches have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

Patchstack gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our security engine is updated on a daily basis.

Websites with a Patchstack installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Share This Article
Related Articles
🎁 Take 2 min survey
NO Credit card required

Protect your WordPress sites against plugin, theme and core vulnerabilities

crossmenu