Updated: 06.13.2022
WordPress Vulnerability News, June 2022
Agnes Talalaev
from patchstack

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list).

Keeping up to date with security vulnerabilities in WordPress and other CMSs is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find in this article have received a virtual patch to the Patchstack security module. It means that if you use Patchstack, your site is safe from these vulnerabilities, but it's always strongly advised to update or delete vulnerable plugins from your site.

You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.

Find out about vulnerable plugins in your websites for free.
Scan your website

Jupiter premium theme

WooCommerce theme.

Vulnerability: Authenticated Privilege Escalation and Post deletion
Fixed in version: 6.10.2
Number of sites affected: 160,000+
CVSS 3.0 score: 9.9 (Critical - Requires subscriber or higher role user authentication.)

Authenticated Privilege Escalation and Post deletion vulnerability discovered by Ramuel Gall (Wordfence) in WordPress Jupiter premium theme (versions <= 6.10.1).

Update the WordPress Jupiter premium theme to the latest available version (at least 6.10.2).

School Management Pro premium

School Management is a WordPress plugin to manage one or multiple schools and their entities such as classes, sections, students, exams, ID cards, admit cards, teachers, and more.

Vulnerability: Unauthenticated Remote Code Execution (RCE) via REST API
Fixed in version: 9.9.7
Number of sites affected: N/A
CVSS 3.0 score: 10 (Critical - Can be exploited remotely without any authentication.)

Unauthenticated Remote Code Execution (RCE) via REST API discovered by Jetpack Scan Team and WordPress elevated support team in WordPress School Management Pro premium plugin (versions < 9.9.7).

Update the WordPress School Management Pro premium plugin to the latest available version (at least 9.9.7).

KiviCare – Clinic & Patient Management System (EHR)

KiviCare is a clinic and patient management plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 2.3.9
Number of sites affected: 1,000+
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress KiviCare plugin (versions <= 2.3.8).

Update the WordPress KiviCare plugin to the latest available version (at least 2.3.9).

Import Export All WordPress Images, Users & Post Types

You can import all types of data from XML and CSV files directly into your WordPress website with WP Ultimate CSV Importer Plugin.

Vulnerability: Authenticated Blind Server-Side Request Forgery (SSRF)
Fixed in version: 6.5.3
Number of sites affected: 10,000+
CVSS 3.0 score: 6.6 (Medium - Requires high role user authentication like admin.)

Authenticated Blind Server-Side Request Forgery (SSRF) vulnerability discovered by Luan Pedersini in WordPress WP Ultimate CSV Importer plugin (versions <= 6.5.2).

Update the WordPress WP Ultimate CSV Importer plugin to the latest available version (at least 6.5.3).

ARMember

WordPress membership plugin.

Vulnerability: Unauthenticated Admin Account Takeover
Fixed in version: 3.4.8
Number of sites affected: 2,000+
CVSS 3.0 score: 9.4 (Critical - Can be exploited remotely without any authentication.)

Unauthenticated Admin Account Takeover vulnerability discovered by cydave in WordPress ARMember plugin (versions <= 3.4.7).

Update the WordPress ARMember plugin to the latest available version (at least 3.4.8).

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin

Backup, restore and migrate WordPress sites with the XCloner plugin.

Vulnerability: Unauthenticated Plugin Settings Reset
Fixed in version: No fixed version is available.
Number of sites affected: 20,000+
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Note: last updated 1 year ago.

Unauthenticated Plugin Settings Reset vulnerability discovered by Krzysztof Zając in WordPress XCloner plugin (versions <= 4.2.163).

No fixed version is available.

Product Configurator for WooCommerce

The Product Configurator for WooCommerce allows you to use layers to produce instant visuals for your customers.

Vulnerability: Unauthenticated Arbitrary File Deletion
Fixed in version: 1.2.32
Number of sites affected: 1,000+
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Arbitrary File Deletion vulnerability discovered by cydave in WordPress Product Configurator for WooCommerce plugin (versions <= 1.2.31).

Update the WordPress Product Configurator for WooCommerce plugin to the latest available version (at least 1.2.32).

WP Fundraising Donation and Crowdfunding Platform

WP Fundraising Donation and Crowdfunding Platform is a WordPress plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: Deactivate and delete
Number of sites affected: N/A
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress WP Fundraising Donation and Crowdfunding Platform plugin (versions <= 1.4.2).

Deactivate and delete. This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

WooCommerce Green Wallet Gateway

This payment gateway allows businesses to accept debit and credit card payments and make a positive environmental impact as they plant a tree with every payment they process on your behalf.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 1.0.2
Number of sites affected: Fewer than 10
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by goodguyandy in WordPress WooCommerce Green Wallet Gateway plugin (versions <= 1.0.1).

Update the WordPress WooCommerce Green Wallet Gateway plugin to the latest available version (at least 1.0.2).

Check if your website has any vulnerable plugins.
Check for free

WP Statistics

With WP-Statistics you can know your website statistics without any need to send your users’ data anywhere.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 13.2.2
Number of sites affected: 600,000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Taurus Omar in WordPress WP Statistics plugin (versions <= 13.2.1).

Update the WordPress WP Statistics plugin to the latest available version (at least 13.2.2).

External Links in New Window / New Tab

Opens external links in a new tab or a new window.

Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 1.43
Number of sites affected: 40,000+
CVSS 3.0 score: 6.1 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress External Links in New Window / New Tab plugin (versions <= 1.42).

Update the WordPress External Links in New Window / New Tab plugin to the latest available version (at least 1.43).

StaffList

A very light-weight plugin, designed to easily create and manage a staff directory on your WordPress theme.

Vulnerability: Authenticated SQL Injection (SQLi) 
Fixed in version: 3.1.5
Number of sites affected: 200+
CVSS 3.0 score: 6.6 (Medium - Requires high role user authentication like admin.)

Authenticated SQL Injection (SQLi) vulnerability discovered by Hassan Khan Yusufzai in WordPress StaffList plugin (versions <= 3.1.2).

Update the WordPress StaffList plugin to the latest available version (at least 3.1.5).

Code Snippets Extended

Using this plugin, you can create code chunks(or snippets) and use them in posts or pages on your site.

Vulnerability: Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) 
Fixed in version: No patched version is available
Number of sites affected: 10,000+
CVSS 3.0 score: 8.8 (High)

Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) vulnerability discovered by Rasi Afeef (Patchstack Alliance) in WordPress Code Snippets Extended plugin (versions <= 1.4.7).

No patched version is available. No reply from the vendor.

Better Find and Replace

This plugin automatically finds a specific word (given by you) and will replace it with your own word.

Vulnerability: SQL Injection (SQLi)
Fixed in version: 1.3.5
Number of sites affected: 20,000+
CVSS 3.0 score: 6.6 (Medium - Requires high role user authentication like admin.)

SQL Injection (SQLi) vulnerability discovered in WordPress Better Find and Replace plugin (versions <= 1.3.4).

Update the WordPress Better Find and Replace plugin to the latest available version (at least 1.3.5).

WP SEO TDK

wordpress vulnerability news

“WP SEO TDK” is open source software.

Vulnerability: Unauthenticated Setting Update leading to Stored Cross-Site Scripting (XSS)
Fixed in version: Deactivate and delete
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Setting Update leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress WP SEO TDK plugin (versions <= 2.1.2).

Deactivate and delete. This plugin has been closed as of July 20, 2021, and is not available for download. Reason: Guideline Violation.

Nirweb support

A WordPress plugin for a support system.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 2.8.2
Number of sites affected: 900+
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Nirweb support plugin (versions <= 2.7.9).

Update the WordPress Nirweb support plugin to the latest available version (at least 2.8.2).

WP Contacts Manager

WP Contacts Manager is a WordPress plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: Deactivate and delete, no known fix.
Number of sites affected: N/A
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress WP Contacts Manager plugin (versions <= 2.2.4).

Deactivate and delete. This plugin has been closed as of April 20, 2022 and is not available for download. This closure is temporary, pending a full review.

All in One WP Migration

WordPress plugin for moving websites.

Vulnerability: Directory Traversal to File Deletion on Windows Hosts
Fixed in version: 7.59
Number of sites affected: 4+ million
CVSS 3.0 score: 6.6 (Medium - Requires high role user authentication like admin.)

Directory Traversal to File Deletion on Windows Hosts vulnerability discovered by haidv35 (Viettel Cyber Security) in WordPress All-in-One WP Migration plugin (versions <= 7.58).

Update the WordPress All-in-One WP Migration plugin to the latest available version (at least 7.59).

RSVPMaker

RSVPMaker is an event scheduling and RSVP tracking plugin for WordPress.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 9.2.7
Number of sites affected: 600+
CVSS 3.0 score: 9.8 (Critical - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by Tobias Kay Dalå (oxnan) in WordPress RSVPMaker plugin (versions <= 9.2.6).

Update the WordPress RSVPMaker plugin to the latest available version (at least 9.2.7).

Booking Calendar

Booking Calendar plugin enables a booking system for your site.

Vulnerability: Insecure Deserialization/PHP Object Injection
Fixed in version: 9.1.1
Number of sites affected: 60,000+
CVSS 3.0 score: 8.1 (High - Can be exploited remotely without any authentication.)

Insecure Deserialization/PHP Object Injection vulnerability discovered by Ramuel Gall (Wordfence) in WordPress Booking Calendar plugin (versions <= 9.1).

Update the WordPress Booking Calendar plugin to the latest available version (at least 9.1.1).

Sliderby10Web

WordPress plugin to create sliders.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 1.2.52
Number of sites affected: 40,000+
CVSS 3.0 score: 4.8 (Medium - Requires high role user authentication like admin.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Fayçal CHENA in WordPress Sliderby10Web plugin (versions <= 1.2.51).

Update the WordPress Sliderby10Web plugin to the latest available version (at least 1.2.52).

WPCargo Track & Trace

WPCargo is a WordPress plug-in designed to provide ideal technology solution for your freight forwarding, transportation & logistics operations.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 6.9.5
Number of sites affected: 10,000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Raul in WordPress WPCargo Track & Trace plugin (versions <= 6.9.4).

Update the WordPress WPCargo Track & Trace plugin to the latest available version (at least 6.9.5).

Metform Elementor Contact Form Builder

Metform contact form builder an addon for elementor.

Vulnerability: Unauthenticated API keys and Secrets Disclosure
Fixed in version: 2.1.4
Number of sites affected: 100,000+
CVSS 3.0 score: 7.5 (High - Can be exploited remotely without any authentication.)

Unauthenticated API keys and Secrets Disclosure vulnerability discovered by Muhammad Zeeshan (Xib3rR4dAr) in WordPress Metform Elementor Contact Form Builder plugin (versions <= 2.1.3).

Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version (at least 2.1.4).

Advanced Contact form 7 DB

Easy plug & play plugin to store all enquiry details received through website Contact Form 7 forms.

Vulnerability: Unauthenticated API keys and Secrets Disclosure
Fixed in version: No known fix - deactivate and delete
Number of sites affected: 90,000+
CVSS 3.0 score: 4.7 (Medium - Can be exploited remotely without any authentication)

Persistent Cross-Site Scripting (XSS) vulnerability discovered in Advanced Contact form 7 DB plugin (versions <= 1.8.7) by BEE-K.

Rara One Click Demo Import

Rara One Click Demo Import plugin will help you import the demo content, including settings of the widgets and the customizer, with a click.

Vulnerability: Cross-Site Request Forgery (CSRF) leads to Arbitrary File Upload
Fixed in version: No known fix - deactivate and delete
Number of sites affected: 40,000+
CVSS 3.0 score: 8.8 (High)

Cross-Site Request Forgery (CSRF) leads to Arbitrary File Upload vulnerability discovered in the Rara One Click Demo Import plugin (versions <= 1.2.9) by BEE-K.

Deactivate and delete the plugin.

AGIL

AGIL is a WordPress plugin.

Vulnerability: Arbitrary File Upload
Fixed in version: No known fix - deactivate and delete
Number of sites affected: N/A
CVSS 3.0 score: 7.2 (High - Requires high role user authentication like admin.)

Arbitrary File Upload vulnerability discovered by Chuang LI in WordPress AGIL plugin (versions <= 1.0).

Deactivate and delete. This plugin has been closed as of March 31, 2022, and is not available for download. This closure is temporary, pending a full review.

Advanced Uploader

Advanced uploader is a WordPress plugin.

Vulnerability: Arbitrary File Upload
Fixed in version: No known fix - deactivate and delete
Number of sites affected: N/A
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary File Upload vulnerability discovered by Roel van Beurden in WordPress Advanced Uploader plugin (versions <= 4.2).

Deactivate and delete. This plugin has been closed as of March 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Elementor Website Builder

Elementor is the leading website building platform for WordPress, enabling web creators to build professional, pixel-perfect websites with an intuitive visual builder.

Vulnerability: Arbitrary File Upload
Fixed in version: 3.6.3
Number of sites affected: 5+ million
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary File Upload vulnerability discovered by Ramuel Gall (Wordfence) in WordPress Elementor Website Builder plugin (versions <= 3.6.2).

Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.6.3).

Fancy Product Designer

The Fancy Product Designer will enable you and your customers to design and customize any kind of product.

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary File Upload
Fixed in version: 4.7.6
Number of sites affected: N/A
CVSS 3.0 score: 8.8 (High)

Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary File Upload discovered by Lin Yu in WordPress Fancy Product Designer plugin (versions <= 4.7.5).

Update the WordPress Fancy Product Designer plugin to the latest available version (at least 4.7.6).

Ubigeo de Perú

This plugin adds the tables to the database _ubigeo_departamento, _ubigeo_provincia, _ubigeo_distrito with respect to Peru.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 3.6.4
Number of sites affected: 1,000+
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Ubigeo de Perú plugin (versions <= 3.6.3).

Update the WordPress Ubigeo de Perú plugin to the latest available version (at least 3.6.4).

Import WP

Import WP makes it easy to import any XML or CSV files to WordPress and export any wordpress data to XML, CSV, or JSON.

Vulnerability: Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)
Fixed in version: 2.4.6
Number of sites affected: 1,000+
CVSS 3.0 score: 7.2 (High - Requires high role user authentication like admin.)

Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE) discovered by ericfrank900528 in WordPress Import WP plugin (versions <= 2.4.5).

Update the WordPress Import WP plugin to the latest available version (at least 2.4.6).

All In One WP Security

The All In One WordPress Security plugin is a WordPress security plugin.

Vulnerability: Authenticated Arbitrary Redirect / Reflected XSS 
Fixed in version: 4.4.11
Number of sites affected: 1+ million
CVSS 3.0 score: 4.4 (Medium)

Authenticated Arbitrary Redirect / Reflected XSS vulnerability discovered by JrXnm in WordPress All In One WP Security plugin (versions <= 4.4.10).

Update the WordPress All In One WP Security plugin to the latest available version (at least 4.4.11).

HubSpot

HubSpot enables you to grow your business better. It helps turn visitors into leads, nurture them into customers, and measure your business growth.

Vulnerability: Blind Server-Side Request Forgery (SSRF)
Fixed in version: 8.8.15
Number of sites affected: 200,000+
CVSS 3.0 score: 6.4 (Medium - Requires contributor or higher role user authentication.)

Blind Server-Side Request Forgery (SSRF) vulnerability was discovered by Brandon Roldan in the WordPress HubSpot plugin (versions <= 8.8.13).

Update the WordPress HubSpot plugin to the latest available version (at least 8.8.15).

Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 1.6.3
Number of sites affected: 300,000+
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by JrXnm in WordPress Photo Gallery by 10Web plugin (versions <= 1.6.2).

Update the WordPress Photo Gallery by 10Web plugin to the latest available version (at least 1.6.3).Import WP

Multiple un-authenticated SQLi security bugs patched

If you are using any of the following plugins, please patch to the most recent version to address an unauthenticated SQLi security bug found in the code:

All you need to do is apply the patch, but now for some bad news.

Users of the following plugins, you are going to need to disable or replace these plugins ASAP as there is an unauthenticated SQLi security bug just like the list above, but there is no patch available at this time:

WBCOM Designs patch multiple plugins

The development team over at WBCOM Designs has been busy in the last week patching multiple products against reported security bugs.

Luckily, these bugs all require authentication in order for sites to be vulnerable, but it would be a good idea if you use any WBCOM Designs plugins or components on your website, please double-check if there are any updates available for those component(s) and apply them.

The Events Calendar Countdown Addon

The Events Calendar Countdown Addon provides the ability to create a Beautiful Countdown for The Events Calendar (by Modern Tribe) events with just a few clicks.

Vulnerability: Arbitrary Plugin Installation
Fixed in version: 1.4
Number of sites affected: 2,000+
CVSS 3.0 score: 6.5 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress The Events Calendar Countdown Addon plugin (versions <= 1.3.1).

Update the WordPress The Events Calendar Countdown Addon plugin to the latest available version (at least 1.4).

Vulnerability: Arbitrary Plugin Activation
Fixed in version: 1.4
Number of sites affected: 2,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress The Events Calendar Countdown Addon plugin (versions <= 1.3.1).

Update the WordPress The Events Calendar Countdown Addon plugin to the latest available version (at least 1.4).

Event Single Page Templates Addon For The Events Calendar

Install this plugin along with The Events Calendar plugin to extend single event page design limitations.

Vulnerability: Arbitrary Plugin Installation
Fixed in version: 1.6
Number of sites affected: 3,000+
CVSS 3.0 score: 6.5 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Event Single Page Templates Addon For The Events Calendar plugin (versions <= 1.5).

Update the WordPress Event Single Page Templates Addon For The Events Calendar plugin to the latest available version (at least 1.6).

Vulnerability: Arbitrary Plugin Activation
Fixed in version: 1.6
Number of sites affected: 3,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Event Single Page Templates Addon For The Events Calendar plugin (versions <= 1.5).

Update the WordPress Event Single Page Templates Addon For The Events Calendar plugin to the latest available version (at least 1.6).

Cryptocurrency Donation Box – Bitcoin & Crypto Donations

Now accept the top 50+ major cryptocurrencies donations inside your WordPress website by using this free cryptocurrency donation box – crypto widget for WordPress. 

Vulnerability: Arbitrary Plugin Installation
Fixed in version: 1.8
Number of sites affected: 5,000+
CVSS 3.0 score: 6.5 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin (versions <= 1.7).

Update the WordPress Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin to the latest available version (at least 1.8).

Vulnerability: Arbitrary Plugin Activation
Fixed in version: 1.8
Number of sites affected: 5,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin (versions <= 1.7).

Update the WordPress Cryptocurrency Donation Box – Bitcoin & Crypto Donations plugin to the latest available version (at least 1.8).

The Events Calendar Widgets For Elementor

The Events Calendar Widgets For Elementor helps you to easily represent The Events Calendar events in the Elementor page builder pages.

Vulnerability: Arbitrary Plugin Installation
Fixed in version: 1.5
Number of sites affected: 5,000+
CVSS 3.0 score: 6.5 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress The Events Calendar Widgets For Elementor plugin (versions <= 1.4.3).

Update the WordPress The Events Calendar Widgets For Elementor plugin to the latest available version (at least 1.5).

Vulnerability: Arbitrary Plugin Activation
Fixed in version: 1.5
Number of sites affected: 5,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress The Events Calendar Widgets For Elementor plugin (versions <= 1.4.3).

Update the WordPress The Events Calendar Widgets For Elementor plugin to the latest available version (at least 1.5).

Cryptocurrency Widgets – Price Ticker & Coins List

Cryptocurrency Widgets WordPress plugin generates crypto coins price widgets & coins list shortcodes – bitcoin, litecoin, ethereum, ripple, dash, etc.

Vulnerability: Arbitrary Plugin Installation
Fixed in version: 2.5
Number of sites affected: 10,000+
CVSS 3.0 score: 6.5 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Cryptocurrency Widgets – Price Ticker & Coins List plugin (versions <= 2.4).

Update the WordPress Cryptocurrency Widgets – Price Ticker & Coins List plugin to the latest available version (at least 2.5)

Vulnerability: Arbitrary Plugin Activation
Fixed in version: 2.5
Number of sites affected: 10,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Cryptocurrency Widgets – Price Ticker & Coins List plugin (versions <= 2.4).

Update the WordPress Cryptocurrency Widgets – Price Ticker & Coins List plugin to the latest available version (at least 2.5).

Events Shortcodes For The Events Calendar

An addon for The Events Calendar plugin to show your events anywhere inside your page or post using events shortcode builder or Gutenberg blocks.

Vulnerability: Arbitrary Plugin Activation actor Authentication Setup
Fixed in version: 2.0
Number of sites affected: 10,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Events Shortcodes For The Events Calendar plugin (versions <= 1.9).

Update the WordPress Events Shortcodes For The Events Calendar plugin to the latest available version (at least 2.0).

SiteGround Security

SiteGround Security plugin provides security to your website, and prevents threats such as brute-force attacks, compromised login, data leaks, and more.

Vulnerability: Authentication Bypass via 2-Factor Authentication Setup
Fixed in version: 1.2.6
Number of sites affected: 400,000+
CVSS 3.0 score: 9.8 (Critical - Can be exploited remotely without any authentication.)

Authentication Bypass via 2-Factor Authentication Setup vulnerability discovered by Chloe Chamberland (Wordfence) in WordPress SiteGround Security plugin (versions <= 1.2.5).

Update the WordPress SiteGround Security plugin to the latest available version (at least 1.2.6).

Vulnerability: Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes
Fixed in version: 1.2.6
Number of sites affected: 400,000+
CVSS 3.0 score: 8.1 (High - Can be exploited remotely without any authentication.)

Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes vulnerability discovered by Chloe Chamberland (Wordfence) in WordPress SiteGround Security plugin (versions <= 1.2.5).

Update the WordPress SiteGround Security plugin to the latest available version (at least 1.2.6).

The Events Calendar Search Addon

Add events search widget anywhere using a simple shortcode and search any event quickly.

Vulnerability: Arbitrary Plugin Activation
Fixed in version: 1.2.1
Number of sites affected: 2,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress The Events Calendar Search Addon plugin (versions <= 1.1.3).

Update the WordPress The Events Calendar Search Addon plugin to the latest available version (at least 1.2.1).

Vulnerability: Arbitrary Plugin Installation
Fixed in version: 1.2.1
Number of sites affected: 2,000+
CVSS 3.0 score: 6.5 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress The Events Calendar Search Addon plugin (versions <= 1.1.3).

Update the WordPress The Events Calendar Search Addon plugin to the latest available version (at least 1.2.1).

Cool Timeline

Showcase your story or company history using Cool Timeline.

Vulnerability: Arbitrary Plugin Activation
Fixed in version: 2.4
Number of sites affected: 20,000+
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Cool Timeline plugin (versions <= 2.3.3).

Update the WordPress Cool Timeline plugin to the latest available version (at least 2.4)

Vulnerability: Arbitrary Plugin Installation
Fixed in version: 2.4
Number of sites affected: 20,000+
CVSS 3.0 score: 6.5 (Medium - Requires subscriber or higher role user authentication.)

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Cool Timeline plugin (versions <= 2.3.3).

Update the WordPress Cool Timeline plugin to the latest available version (at least 2.4).

Cab Fare Calculator

Taxi Booking for WordPress is a complete, standalone booking system for distance priced transportation services like taxi, limousine, shuttle, airport transfers, delivery etc.

Vulnerability: Unauthenticated Local File Inclusion (LFI)
Fixed in version: No patched version is available
Number of sites affected: 100+
CVSS 3.0 score: 7.5 (High - Can be exploited remotely without any authentication.)

Unauthenticated Local File Inclusion (LFI) vulnerability was discovered by Hassan Khan Yusufzai (Splint3r7) in the WordPress Cab fare calculator plugin (versions <= 1.0.3).

Users Ultra

Users Ultra is a WordPress plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Users Ultra plugin (versions <= 3.1.0).

Deactivate and delete. This plugin has been closed as of March 14, 2022 and is not available for download. This closure is temporary, pending a full review.

Donations 

Donations is a WordPress plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 8.3 (High)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Donations plugin (versions <= 1.8).

Deactivate and delete. This plugin has been closed as of February 28, 2022 and is not available for download. This closure is temporary, pending a full review.

Advanced Page Visit Counter

Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin is a WordPress plugin.

Vulnerability: Blind SQL Injection (SQLi)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.4 (Medium - Requires subscriber or higher role user authentication.)

Blind SQL Injection (SQLi) vulnerability discovered by Krzysztof Zając in WordPress Advanced Page Visit Counter (versions <= 5.0.8).

Deactivate and delete. This plugin has been closed as of March 17, 2022 and is not available for download. This closure is temporary, pending a full review.

Web To Print Shop : uDraw

Web To Print Shop : uDraw is a WordPress plugin.

Vulnerability: Unauthenticated Arbitrary File Access 
Fixed in version: 3.3.33
Number of sites affected: N/A
CVSS 3.0 score: 7.5 (High - Can be exploited remotely without any authentication.)

Unauthenticated Arbitrary File Access vulnerability discovered by cydave in WordPress Web To Print Shop : uDraw plugin (versions <= 3.3.32).

Update the WordPress Web To Print Shop : uDraw plugin to the latest available version (at least 3.3.33).

Master Elements

Master Elements is a WordPress plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Master Elements plugin (versions <= 8.0).

Deactivate and delete. This plugin has been closed as of March 9, 2022 and is not available for download. This closure is temporary, pending a full review.

Flo Launch

The FloLaunch plugin allows you to safely test drive any theme, plugin or a new idea on your blog , while visitors still see the default site.

Vulnerability: Missing Authentication Allows Full Site Takeover
Fixed in version: 2.4.1
Number of sites affected: N/A
CVSS 3.0 score: 9.8 (Critical)

Missing Authentication Allows Full Site Takeover vulnerability discovered by Daniel Ruf in WordPress Flo Launch plugin (versions <= 2.4).

Update the WordPress Flo Launch plugin to the latest available version (at least 2.4.1).

Nimble Page Builder

Nimble Page Builder isa WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress Nimble Page Builder plugin (versions <= 3.1.33).

Deactivate and delete. This plugin has been closed as of February 21, 2022 and is not available for download. This closure is temporary, pending a full review.

English WordPress Admin

English WordPress Admin is a WordPress plugin.

Vulnerability: Unauthenticated Open Redirect
Fixed in version: 1.5.2
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (Medium)

Unauthenticated Open Redirect vulnerability discovered by Krzysztof Zając in WordPress English WordPress Admin plugin (versions <= 1.5.1).

Update the WordPress English WordPress Admin plugin to the latest available version (at least 1.5.2).

Anti-Malware Security and Brute-Force Firewall

WordPress anti-malware and brute-force firewall plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 4.20.96
Number of sites affected: 200,000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress Anti-Malware Security and Brute-Force Firewall plugin (versions <= 4.20.95).

Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to the latest available version (at least 4.20.96)

Easy Digital Downloads

Easy Digital Downloads is a complete eCommerce solution for selling digital products on WordPress.

Vulnerability: Arbitrary Payment Note Insertion via Cross-Site Request Forgery (CSRF) 
Fixed in version: 2.11.6
Number of sites affected: 50,000+
CVSS 3.0 score: 6.5 (Medium)

Arbitrary Payment Note Insertion via Cross-Site Request Forgery (CSRF) vulnerability was discovered by Muhamad Hidayat in the WordPress Easy Digital Downloads plugin (versions <= 2.11.5).

Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 2.11.6)

Vulnerability: Stored Cross-Site Scripting (XSS) 
Fixed in version: 2.11.6
Number of sites affected: 50,000+
CVSS 3.0 score: 4.8 (Medium - Requires high role user authentication like admin.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Muhamad Hidayat in WordPress Easy Digital Downloads plugin (versions <= 2.11.5).

Update the WordPress Easy Digital Downloads plugin to the latest available version (at least 2.11.6).

RSVP and Event Management

The RSVP plugin was created to help manage attendees for your events.

Vulnerability: Unauthenticated Entries Export
Fixed in version: 2.7.8
Number of sites affected: 5,000+
CVSS 3.0 score: 7.5 (High - Can be exploited remotely without any authentication.)

Unauthenticated Entries Export vulnerability discovered by Daniel Ruf in WordPress RSVP and Event Management plugin (versions <= 2.7.7).

Update the WordPress RSVP and Event Management plugin to the latest available version (at least 2.7.8).

Safe SVG

Safe SVG is the best way to Allow SVG Uploads in WordPress.

Vulnerability: SVG Sanitization Bypass 
Fixed in version: 1.9.10
Number of sites affected: 600,000+
CVSS 3.0 score: 5.3 (Medium)

SVG Sanitization Bypass vulnerability discovered by David Hamann in WordPress Safe SVG plugin (versions <= 1.9.9).

Update the WordPress Safe SVG plugin to the latest available version (at least 1.9.10).

Daily Prayer Time

Alhamdulillah that you can display Yearly and Monthly prayer time with ajax month selector using shortcode.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 2022.03.01
Number of sites affected: 1,000+
CVSS 3.0 score: 8.6 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Daily Prayer Time plugin (versions <= 2021.10.29).

Update the WordPress Daily Prayer Time plugin to the latest available version (at least 2022.03.01).

Product Table for WooCommerce

The Product Table plugin helps you to display your WooCommerce products in a searchable table layout with filters.

Vulnerability: Unauthenticated Arbitrary Option Change
Fixed in version: 3.1.2
Number of sites affected: 8,000+
CVSS 3.0 score: 8.6 (High - Can be exploited remotely without any authentication.)

Unauthenticated Arbitrary Option Change vulnerability discovered by Mark Costlow in WordPress Product Table for WooCommerce plugin (versions <= 3.1.1).

Update the WordPress Product Table for the WooCommerce plugin to the latest available version (at least 3.1.2).

Vulnerability: Unauthenticated Arbitrary Function Call
Fixed in version: 3.1.2
Number of sites affected: 8,000+
CVSS 3.0 score: 7.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated Arbitrary Function Call vulnerability discovered by Mark Costlow in WordPress Product Table for WooCommerce plugin (versions <= 3.1.1).

Update the WordPress Product Table for the WooCommerce plugin to the latest available version (at least 3.1.2).

Ad Injection

WordPress plugin.

Vulnerability: Stored Cross-Site Scripting (XSS) & RCE
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 7.5 (High - Requires high role user authentication like admin.)

Stored Cross-Site Scripting (XSS) & RCE vulnerabilities were discovered by Asif Nawaz Minhas in the WordPress Ad Injection plugin (versions <= 1.2.0.19).

Deactivate and delete. This plugin has been closed as of March 18, 2022, and is not available for download. This closure is temporary, pending a full review.

Pricing Table

WordPress plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 3.6.1
Number of sites affected: N/A
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered in WordPress Pricing Table plugin (versions <= 3.6).

Update the WordPress Pricing Table plugin to the latest available version (at least 3.6.1)

StopBadBots

This image has an empty alt attribute; its file name is image-13-1024x312.png

When a bad bot tries to open any of your WordPress pages we show a 403 Forbidden page. 

Vulnerability: WordPress Options Update vulnerability
Fixed in version: 7.03
Number of sites affected: 10,000+
CVSS 3.0 score: 7.6 (High - Requires subscriber or higher role user authentication.)

WordPress Options Update vulnerability discovered in WordPress StopBadBots plugin (versions <= 7.02).

Update the WordPress StopBadBots plugin to the latest available version (at least 7.03).

Download Manager

WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site.

Vulnerability: Unauthenticated Brute Force of Files Master Key
Fixed in version: 3.2.39
Number of sites affected: 100,000+
CVSS 3.0 score: 6.5 (Medium - Can be exploited remotely without any authentication.)

Unauthenticated Brute Force of Files Master Key vulnerability discovered by Diogo Real in WordPress Download Manager plugin (versions <= 3.2.38).

Update the WordPress Download Manager plugin to the latest available version (at least 3.2.39).

Migration, Backup, Staging – WPvivid

WPvivid Backup Plugin offers backup, migration, and staging as basic features, and is integrating more and more elegant features, such as unused images cleaner, etc.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 0.9.70
Number of sites affected: 100,000+
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Krzysztof Zając in WordPress Migration, Backup, Staging – WPvivid plugin (versions <= 0.9.69).

Update the WordPress Migration, Backup, Staging – WPvivid plugin to the latest available version (at least 0.9.70).

Easy Social Icons

You can upload your own social icon or font-awesome social icons, set your social URL, choose whether you want to display vertically or horizontally, left or right or center-aligned, icon width height or margins.

Vulnerability: Multiple vulnerabilities
Fixed in version: 3.2.1
Number of sites affected: 40,000+
CVSS 3.0 score: 6.5 (Medium) & 4.8 (Medium - Requires high role user authentication like admin.)

Unauthenticated Arbitrary Icon Deletion vulnerability discovered by Jan w Oleju in versions plugin <= 3.2.0 and stored cross-site scripting (XSS) vulnerability discovered by qerogram in versions <= 3.2.0.

Update the WordPress Easy Social Icons plugin to the latest available version (at least 3.2.1).

Podcast Importer SecondLine

Sync Podcast RSS feeds with your WordPress website automatically.

Vulnerability: SQL Injection (SQLi)
Fixed in version: 1.3.8
Number of sites affected: 6,000+
CVSS 3.0 score: 6.6 (Medium - Requires high role user authentication like admin.)

SQL Injection (SQLi) vulnerability discovered by YICHENG LIU-ZTE CHENFENG lab in WordPress Podcast Importer SecondLine plugin (versions <= 1.3.7).

Update the WordPress Podcast Importer SecondLine plugin to the latest available version (at least 1.3.8).

FV Flowplayer Video Player

Custom HTML 5 video on your own site with Flash fallback for legacy browsers is here.

Vulnerability: SQL Injection (SQLi)
Fixed in version: 7.5.18.727
Number of sites affected: 40,000+
CVSS 3.0 score: 6.6 (Medium - Requires author or higher role user authentication.)

SQL Injection (SQLi) vulnerability discovered by Tien Nguyen Anh (Patchstack Alliance) in WordPress FV Flowplayer Video Player plugin (versions <= 7.5.15.727).

Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.5.18.727).

One Click Demo Import

Theme authors can define import files in their themes and so all you (the user of the theme) have to do is click on the “Import Demo Data” button.

Vulnerability: Arbitrary File Upload
Fixed in version: 3.1.0
Number of sites affected: 1+ million
CVSS 3.0 score: 7.2 (High - Requires high role user authentication like admin.)

Arbitrary File Upload vulnerability discovered by YICHENG LIU-ZTE CHENFENG lab in WordPress One Click Demo Import plugin (versions <= 3.0.2).

Update the WordPress One Click Demo Import plugin to the latest available version (at least 3.1.0).

Responsive Menu

Highly customizable Responsive Menu Plugin for WordPress.

Vulnerability: Nonce token leak leading to arbitrary file upload, theme deletion, plugin settings change
Fixed in version: 4.1.8
Number of sites affected: 100,000+
CVSS 3.0 score: 8.3 (High - Requires subscriber or higher role user authentication.)

Nonce token leak leading to arbitrary file upload, theme deletion, plugin settings change vulnerability discovered by Dave Jong (Patchstack) in WordPress Responsive Menu plugin (versions <= 4.1.7).

Update the WordPress Responsive Menu plugin to the latest available version (at least 4.1.8).

Read more about the WordPress plugin vulnerability here.

Library File Manager

Library File Manager in a WordPress plugin.

Vulnerability: Arbitrary File Creation/Upload/Deletion
Fixed in version: Plugin closed, no known fix
Number of sites affected: N/A
CVSS 3.0 score: 8.8 (High - Requires subscriber or higher role user authentication.)

Arbitrary File Creation/Upload/Deletion vulnerability discovered by Luan Pedersni in WordPress Library File Manager plugin (versions <= 5.2.2).

Deactivate and delete. This plugin has been closed as of February 28, 2022, and is not available for download. This closure is temporary, pending a full review.

Stop Bad Bots

This image has an empty alt attribute; its file name is image-13-1024x312.png

Stop Bad Bots, SPAM bots, Crawlers, and spiders without DNS Cloud or API (EndPoint) Traffic Redirection and without slowing down your site.

Vulnerability: Unauthenticated SQL Injection (SQLi) 
Fixed in version: 6.930
Number of sites affected: 10,000+
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Stop Bad Bots plugin (versions <= 6.92).

Update the WordPress Stop Bad Bots plugin to the latest available version (at least 6.930).

MapPress Maps for WordPress

MapPress is the easiest way to add beautiful interactive Google and Leaflet maps to WordPress.

Vulnerability: Admin+ File Upload leading to Remote Code Execution
Fixed in version: 2.73.13
Number of sites affected: 60,000+
CVSS 3.0 score: 7.2 (High - Requires high role user authentication like admin.)

Admin+ File Upload leading to Remote Code Execution vulnerability discovered by qerogram in WordPress MapPress Maps for WordPress plugin (versions <= 2.73.12).

Update the WordPress MapPress Maps for the WordPress plugin to the latest available version (at least 2.73.13).

Read more about this WordPress plugin vulnerability.

Ninja Forms File Uploads Extension premium

Upload files to WordPress, Google Drive, Dropbox, or Amazon S3. Upload documents, images, media, and more.

Vulnerability: Unauthenticated Arbitrary File Upload
Fixed in version: 3.3.1
Number of sites affected: N/A
CVSS 3.0 score: 9.8 (Critical - Can be exploited remotely without any authentication.)

Unauthenticated Arbitrary File Upload vulnerability discovered by Muhammad Zeeshan (Xib3rR4dAr) in WordPress Ninja Forms File Uploads Extension premium plugin (versions <= 3.3.0).

Update the WordPress Ninja Forms File Uploads Extension premium plugin to the latest available version (at least 3.3.1).

Read more about this plugin vulnerability.

Vulnerability: Reflected Cross-Site Scripting (XSS) 
Fixed in version: 3.3.13
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (Medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Nuno Correia (Blaze Security) in WordPress Ninja Forms File Uploads Extension premium plugin (versions <= 3.3.12).

Update the WordPress Ninja Forms File Uploads Extension premium plugin to the latest available version (at least 3.3.13).

Read more about this plugin vulnerability.

Church Admin

This plugin is for church wordpress sites and has a smartphone app too – it adds an easy-to-use address directory and you can email and SMS different groups of people.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version: 3.4.135
Number of sites affected: 1,000+
CVSS 3.0 score: 7.5 (High - Can be exploited remotely without any authentication.)

Unauthenticated Plugin's Backup Disclosure vulnerability discovered by cydave in WordPress Church Admin plugin (versions <= 3.4.134).

Update the WordPress Church Admin plugin to the latest available version (at least 3.4.135).

Read more about the plugin vulnerability.

Translate WordPress with GTranslate

Translate WordPress with GTranslate plugin uses Google Translate automatic translation service to translate WordPress site with Google power and make it multilingual. 

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version: 2.9.9
Number of sites affected: 300,000+
CVSS 3.0 score: 7.6 (High)

Cross-Site Request Forgery (CSRF) vulnerability leading to Account Takeover discovered in WordPress GTranslate plugin (versions <= 2.9.8).

Update the WordPress GTranslate plugin to the latest available version (at least 2.9.9).

Read more about the plugin vulnerability.

Stop Bad Bots

Stop Bad Bots, SPAM bots, Crawlers, and spiders without DNS Cloud or API (EndPoint) Traffic Redirection and without slowing down your site.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 6.88
Number of sites affected: 10,000+
CVSS 3.0 score: 8.3 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by Krzysztof Zając in WordPress Stop Bad Bots plugin (versions <= 6.87).

Update the WordPress Stop Bad Bots plugin to the latest available version (at least 6.88).

Read more about this WordPress plugin vulnerability.

Limit Login Attempts (Spam Protection)

Limit the number of login attempts possible both through normal login as well as using auth cookies.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: 5.1
Number of sites affected: 300+
CVSS 3.0 score: 8.6 (High - Can be exploited remotely without any authentication.)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by cydave in WordPress Limit Login Attempts (Spam Protection) plugin (versions <= 4.9.1).

Update the WordPress Limit Login Attempts (Spam Protection) plugin to the latest available version (at least 5.1).

Read more about this WordPress plugin vulnerability.

File Upload Pro premium

With this plugin, you, or other users, can upload files to your WordPress website from any page.

Vulnerability: Contributor+ Path Traversal
Fixed in version: 4.16.3
Number of sites affected: N/A
CVSS 3.0 score: 8.8 (High - Requires contributor or higher role user authentication.)

Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE) discovered by apple502j in WordPress File Upload Pro premium plugin (versions <= 4.16.2).

Update the WordPress File Upload Pro premium plugin to the latest available version (at least 4.16.3).

Read more about this plugin vulnerability.

Accept Stripe Payments

The Stripe Payments plugin allows you to accept credit card payments via Stripe payment gateway on your WordPress site easily.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version: 2.0.54
Number of sites affected: 40,000+
CVSS 3.0 score: 5.4 (Medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Accept Stripe Payments plugin (versions <= 2.0.53).

Update the WordPress Accept Stripe Payments plugin to the latest available version (at least 2.0.54).

Read more.

WordPress Gutenberg plugin

“Gutenberg” is a codename for a whole new paradigm for creating with WordPress, that aims to revolutionize the entire publishing experience as much as Gutenberg did the printed word.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 12.7.2
Number of sites affected: 300,000+
CVSS 3.0 score: 5.4 (Medium - Requires contributor or higher role user authentication.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Ben Bidner in WordPress Gutenberg plugin (versions <= 12.7.1).

Update the WordPress Gutenberg plugin to the latest available version (at least 12.7.2).

Read more about this WordPress vulnerability.

WordPress

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 5.9.2
Number of sites affected: N/A
CVSS 3.0 score: 5.4 (Medium - Requires contributor or higher role user authentication.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Ben Bidner in WordPress (versions <= 5.9.1).

Update the WordPress to the latest available version (at least 5.9.2).

Read more about this WordPress vulnerability.

WooCommerce

WooCommerce is the world’s most popular open-source eCommerce solution.

Vulnerability: Orders Status Change (via PayPal Standard Gateway)
Fixed in version: 6.3.1
Number of sites affected: 5+ million
CVSS 3.0 score: 4.3 (Medium)

Orders Status Change (via PayPal Standard Gateway) vulnerability discovered in WordPress WooCommerce plugin (versions <= 6.3.0).

Update the WordPress WooCommerce plugin to the latest available version (at least 6.3.1).

Read more.

Profile Builder

Profile Builder is a user profile and registration plugin for WordPress.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 3.6.8
Number of sites affected: 60,000+
CVSS 3.0 score: 4.8 (Medium - Requires high role user authentication like admin.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Abhinav Porwal in WordPress Profile Builder plugin (versions <= 3.6.7).

Update the WordPress Profile Builder plugin to the latest available version (at least 3.6.8).

Read more.

Amelia

Amelia Lite is a free appointment and event booking plugin that allows setting up a fully-featured automated booking system on your WordPress website. 

Vulnerability: SMS Service Abuse and Sensitive Data Disclosure
Fixed in version: 1.0.48
Number of sites affected: 40,000+
CVSS 3.0 score: 5.4 (Medium - Requires customer or higher role user authentication.)

SMS Service Abuse and Sensitive Data Disclosure vulnerability discovered by Huli (Cymetrics) in WordPress Amelia plugin (versions <= 1.0.47).

Update the WordPress Amelia plugin to the latest available version (at least 1.0.48).

Advanced Contact form 7 DB

Easy plug & play plugin to store all enquiry details received through website Contact Form 7 forms.

Vulnerability: Arbitrary File Deletion
Fixed in version: 1.8.7
Number of sites affected: 90,000+
CVSS 3.0 score: 8.1 (High - Requires subscriber or higher role user authentication.)

Arbitrary File Deletion vulnerability discovered by Krzysztof Zając in WordPress Advanced Contact form 7 DB plugin (versions <= 1.8.6).

Update the WordPress Advanced Contact form 7 DB plugin to the latest available version (at least 1.8.7).

Event Manager and Tickets Selling Plugin

Event Manager and Tickets Selling Plugin for WooCommerce.

Vulnerability: SQL Injection (SQLi)
Fixed in version: 3.5.8
Number of sites affected: 9,000+
CVSS 3.0 score: 7.4 (High - Requires contributor or higher role user authentication.)

SQL Injection (SQLi) vulnerability discovered by Rafael Castilho in WordPress Event Manager and Tickets Selling Plugin for WooCommerce plugin (versions <= 3.5.7).

Update the WordPress Event Manager and Tickets Selling Plugin for WooCommerce plugin to the latest available version (at least 3.5.8).

WPCargo Track & Trace

WPCargo is a WordPress plug-in designed to provide ideal technology solution for your freight forwarding, transportation & logistics operations.

Vulnerability: Unauthenticated Remote Code Execution (RCE)
Fixed in version: 6.9.0
Number of sites affected: 10,000+
CVSS 3.0 score: 9.8 (Critical - Can be exploited remotely without any authentication.)

Unauthenticated Remote Code Execution (RCE) vulnerability discovered by Krzysztof Zając in WordPress WPCargo Track & Trace plugin (versions <= 6.8.9).

Update the WordPress WPCargo Track & Trace plugin to the latest available version (at least 6.9.0).

WordPress Vulnerability News - Conclusion

See the full list of vulnerabilities here.

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily.

Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated.

To be able to fight back, you have a small time window to take action. In such cases, the virtual patches have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

Patchstack gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our security engine is updated on a daily basis.

Websites with a Patchstack installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Share This Article
Related Articles
crossmenu