Updated: October 5, 2021

WordPress Vulnerability News, September 2021

Agnes Talalaev
from patchstack

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list).

Keeping up to date with security vulnerabilities in WordPress and other CMS's is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the Patchstack security module. It means that if you use Patchstack, your site is safe from these vulnerabilities, but it's always strongly advised to update or delete vulnerable plugins from your site.

You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.

JobSearch WP Job Board

WP Job Search brings you a solution to display jobs on a website.

Vulnerability: Unauthenticated Settings Change
Fixed in version: 1.8.2
Number of sites affected: 1 000+
CVSS 3.0 score: 5.3 (medium - Can be exploited remotely without any authentication.)

Vulnerability: Authenticated Arbitrary WordPress Options Change
Fixed in version: 1.8.2
Number of sites affected: 1 000+
CVSS 3.0 score: 8.8 (high - Requires custom plugin role like candidate or employer (low privileges)).

Multiple vulnerabilities were discovered by Jerome Bruandet (NinTechNet) in the WordPress JobSearch premium plugin (versions <= 1.8.1).

Update the WordPress JobSearch premium plugin to the latest available version (at least 1.8.2).

Stripe For WooCommerce

Accept Credit Cards, Google Pay, ApplePay, Afterpay, ACH, Klarna, iDEAL, and more all in one plugin for free.

Vulnerability: Missing Authorization Controls to Financial Account Hijacking
Fixed in version: 3.3.10
Number of sites affected: 70 000+
CVSS 3.0 score: 4.3 (medium - registered customer account required)

Missing Authorization Controls to Financial Account Hijacking vulnerability discovered by Margaux DABERT (Intrinsec) in WordPress Stripe For WooCommerce plugin (versions 3.0.0 – 3.3.9).

Update the WordPress Stripe For WooCommerce plugin to the latest available version (at least 3.3.10).

Countdown and CountUp, WooCommerce Sales Timer

With WordPress Countdown and CountUp, WooCommerce Sales Timer plugin you can create any timer you need. 

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)
Fixed in version: 1.5.8
Number of sites affected: 500+
CVSS 3.0 score: 8.8 (high)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Xu-Liang Liao in WordPress Countdown and CountUp, WooCommerce Sales Timer plugin (versions <= 1.5.7).

Update the WordPress Countdown and CountUp, WooCommerce Sales Timer plugin to the latest available version (at least 1.5.8).

WP Mega Menu

You can use Mega Menu to create navigation menus for your website. 

Vulnerability: Arbitrary Post Access
Fixed in version: 1.4.0
Number of sites affected: 20 000+
CVSS 3.0 score: 5.3 (medium - Can be exploited remotely without any authentication.)

Vulnerability: Arbitrary Post Access
Fixed in version: 1.4.1
Number of sites affected: 20 000+
CVSS 3.0 score: 4.3 (medium - Requires subscriber or higher user role.)

Arbitrary Post Access vulnerability discovered by WPScanTeam in WordPress WP Mega Menu plugin (versions <= 1.4.0).

Update the WordPress WP Mega Menu plugin to the latest available version (at least 1.4.1).

Video Player for YouTube

YouTube Video Player for WordPress.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 1.4
Number of sites affected: 2 000+
CVSS 3.0 score: 6.5 (medium - Requires contributor or higher user role.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Michał Lipiński in WordPress Video Player for YouTube plugin (versions <= 1.3).

Update the WordPress Video Player for YouTube plugin to the latest available version (at least 1.4).

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Use Ninja Forms to create WordPress forms.

Vulnerability: Unprotected REST-API to Sensitive Information Disclosure
Fixed in version: 3.5.8
Number of sites affected: 1+ million
CVSS 3.0 score: 6.5 (medium - Possible for any authenticated user.)

Vulnerability: Unprotected REST-API to Email Injection
Fixed in version: 3.5.8
Number of sites affected: 1+ million
CVSS 3.0 score: 6.5 (medium - Possible for any authenticated user.)

Unprotected REST-API to Sensitive Information Disclosure vulnerability and unprotected REST-API to Email Injection vulnerability discovered by Chloe Chamberland (WordFence) in WordPress Ninja Forms Contact Form plugin (versions <= 3.5.7).

Update the WordPress Ninja Forms Contact Form plugin to the latest available version (at least 3.5.8).

YITH Maintenance Mode

With the plugin YITH Maintenance Mode, you can set a customizable page to let your visitors know the site is closed for maintenance.

Vulnerability: Multiple Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version: 1.4.0
Number of sites affected: 9 000+
CVSS 3.0 score: 6.9 (medium - Requires high privilege user authentication like admin.)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by Vlad Visse (Patchstack) in WordPress YITH Maintenance Mode plugin (versions <= 1.3.8). Additionally, there are 46 additional parameters fixed that were missed by updating from vulnerable version 1.3.7 to 1.3.8 reported by Asif Nawaz Minhas (Patchstack Red Team).

Update the WordPress YITH Maintenance Mode plugin to the latest available version (at least 1.4.0).

WordPress Popups for Marketing and Email Newsletters, Lead Generation and Conversions by OptinMonster

OptinMonster is a popup builder and marketing plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 2.6.1
Number of sites affected: 1+ million
CVSS 3.0 score: 6.1 (medium - Can be exploited remotely without any authentication.)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Mariia Aleksandrova in WordPress OptinMonster plugin (versions <= 2.6.0).

Update the WordPress OptinMonster plugin to the latest available version (at least 2.6.1).

Gutenberg PDF Viewer Block

Free Gutenberg Block to display PDF viewers/readers on your website.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 1.0.1
Number of sites affected: 4 000+
CVSS 3.0 score: 5.4 (medium - Contributor or higher role user required.)

Stored Cross-Site Scripting (XSS) vulnerability discovered by apple502j in WordPress Gutenberg PDF Viewer Block plugin (versions <= 1.0).

Update the WordPress Gutenberg PDF Viewer Block plugin to the latest available version (at least 1.0.1).

eID Easy

This plugin makes secure identification and creating Qualified Electronic Signatures using eID methods much easier than implementing these identification methods yourself.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 4.7
Number of sites affected: 100+
CVSS 3.0 score: 6.1 (medium - Can be exploited remotely without any authentication.)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress eID Easy plugin (versions <= 4.6).

Update the WordPress eID Easy plugin to the latest available version (at least 4.7).

BulletProof Security

BPS Pro is an automated security plugin.

Vulnerability: Sensitive Information Disclosure
Fixed in version: 5.2
Number of sites affected: 60 000+
CVSS 3.0 score: 5.3 (medium - Can be exploited remotely without any authentication.)

Sensitive Information Disclosure vulnerability discovered by Vincent Rakotomanga in WordPress BulletProof Security plugin (versions <= 5.1).

Update the WordPress BulletProof Security plugin to the latest available version (at least 5.2).

Software License Manager

Software license management solution for your web applications (WordPress plugins, Themes, PHP-based membership script, etc.)

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version: 4.5.1
Number of sites affected: 1 000+
CVSS 3.0 score: 7.6 (high - for a successful attack, an attacker needs to know the domain's ID they wish to delete. The CSRF victim should have a high role account logged in.)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jetpack Scan Team in WordPress Software License Manager plugin (versions <= 4.5.0).

Update the WordPress Software License Manager plugin to the latest available version (at least 4.5.1).

Support Board

Vulnerability: Multiple Unauthenticated SQL Injection (SQLi)
Fixed in version: 3.3.4
Number of sites affected: 2 500+
CVSS 3.0 score: 7.3 (high - can be exploited remotely without any authentication)

Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities were discovered by John Jefferson Li in the WordPress Support Board plugin (versions <= 3.3.3).

Update the WordPress Support Board plugin to the latest available version (at least 3.3.4).

WooCommerce Multi Currency - Currency Switcher

WooCommerce Multi Currency allows your customers to switch between currencies and helps your store accept payments in multi-currency.

Vulnerability: Authenticated Product Price Change
Fixed in version: 2.1.18
Number of sites affected: 7 000+
CVSS 3.0 score: 6.5 (medium - can be exploited with customer role user)

Authenticated Product Price Change vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WooCommerce Multi Currency - Currency Switcher premium plugin (versions <= 2.1.17).

Update the WordPress WooCommerce Multi Currency - Currency Switcher premium plugin to the latest available version (at least 2.1.18).

WP Publications

WP Publications is a WordPress plugin.

Vulnerability: Local File Inclusion (LFI)
Fixed in version: Plugin does not exist, is not supported or discontinued
Number of sites affected: 10 000+
CVSS 3.0 score: 8.3 (high - can be exploited remotely without any authentication)

Local File Inclusion (LFI) vulnerability discovered by p7e4 in WordPress WP Publications plugin (versions <= 0.0).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

StopBadBots

This plugin helps you to block bots.

Vulnerability: Authenticated SQL Injection (SQLi)
Fixed in version: 6.60
Number of sites affected: 10 000+
CVSS 3.0 score: 6 (medium - high-auth users would be able to exploit this)

Authenticated SQL Injection (SQLi) vulnerability discovered by Martin Vierula (Trustwave) in WordPress StopBadBots plugin (versions <= 6.59).

Update the WordPress StopBadBots plugin to the latest available version (at least 6.60).

WP Simple Booking Calendar

Keep track of your bookings.

Vulnerability: Command injection vulnerability in the Lodash library in WordPress core 
Fixed in version: 2.0.7
Number of sites affected: 10 000+
CVSS 3.0 score: 6 (medium - requires high privilege user authentication like admin)

Authenticated SQL Injection (SQLi) vulnerability discovered by Martin Vierula (Trustwave) in WordPress WP Simple Booking Calendar plugin (versions <= 2.0.6).

Update the WordPress WP Simple Booking Calendar plugin to the latest available version (at least 2.0.7).

WordPress core

WordPress is open source software you can use to create a beautiful website, blog, or app.

Vulnerability: Command injection vulnerability in the Lodash library in WordPress core 
Fixed in version: 5.8.1
Number of sites affected: N/A
CVSS 3.0 score: 7.2 (high)

Command injection vulnerability in the Lodash library in WordPress core (versions <= 5.8). Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7.

Update the WordPress core to the latest available version (at least 5.8.1).

Vulnerability: Data Exposure via REST API vulnerability
Fixed in version: 5.8.1
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Data Exposure via REST API vulnerability discovered by Michael Adams in WordPress core (versions <= 5.8). Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7.

Update the WordPress core to the latest available version (at least 5.8.1).

Vulnerability: Authenticated Cross-Site Scripting (XSS)
Fixed in version: 5.8.1
Number of sites affected: N/A
CVSS 3.0 score: 7.6 (high - requires a user with contributor or author role)

Authenticated Cross-Site Scripting (XSS) vulnerability discovered by Michal Bentkowski (Securitum) in WordPress core block editor (versions <= 5.8). The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have permission to post unfiltered_html. Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7.

Update the WordPress to the latest available version (at least 5.8.1).

User Activation Email

User Activation Email is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress User Activation Email plugin (versions <= 1.3.0).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

SP Rental Manager

SP Rental Manager is a WordPress plugin.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 8.2 (high - can be exploited remotely without any authentication)

Unauthenticated SQL Injection (SQLi) vulnerability discovered by p7e4 in WordPress SP Rental Manager plugin (versions <= 1.5.3).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

RentPress

RentPress is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress RentPress plugin (versions <= 6.6.4).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

Twitter Friends Widget

Twitter Friends Widget is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress Twitter Friends Widget plugin (versions <= 3.1).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

Custom Menu Plugin

Custom Menu Plugin is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress Custom Menu Plugin plugin (versions <= 1.3.3).

This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review.

simpleSAMLphp Authentication

simpleSAMLphp Authentication is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress simpleSAMLphp Authentication plugin (versions <= 0.7.0).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

More from Google

More from Google is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress More from Google plugin (versions <= 0.0.2).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

3D Cover Carousel

3D Cover Carousel is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress 3D Cover Carousel plugin (versions <= 1.0).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

Konnichiwa! Membership

Konnichiwa! Membership is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress Konnichiwa! Membership plugin (versions <= 0.8.3).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

WP Academic People List

WP Academic People List is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress WP Academic People List plugin (versions <= 0.4.1).

This plugin has been closed as of September 7, 2021, and is not available for download. This closure is temporary, pending a full review.

WordPress Automatic Plugin

WordPress Automatic Plugin posts from almost any website to WordPress automatically.

Vulnerability: Unauthenticated Arbitrary WordPress Options Change
Fixed in version: 3.53.3
Number of sites affected: 26 000+
CVSS 3.0 score: 9.8 (critical - can be exploited remotely without any authentication)

Unauthenticated Arbitrary WordPress Options Change vulnerability discovered by Jerome Bruandet in WordPress Automatic premium plugin (versions <= 3.53.2).

Update the WordPress Automatic premium plugin to the latest available version (at least 3.53.3).

Pinterest Automatic Pin

A plugin that will pin images from your posts automatically to pinterest.com.

Vulnerability: Unauthenticated Arbitrary WordPress Options Change
Fixed in version: 4.14.4
Number of sites affected: 7 000+
CVSS 3.0 score: 9.8 (critical - can be exploited remotely without any authentication)

Unauthenticated Arbitrary WordPress Options Change vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Pinterest Automatic Pin plugin (versions <= 4.14.3).

Update the WordPress Pinterest Automatic Pin plugin to the latest available version (at least 4.14.4).

Easy Social Icons

You can upload your own social icon or font-awesome social icons, set your social URL, choose whether you want to display vertically or horizontally, left or right or center-aligned, icon width height or margins.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 3.0.9
Number of sites affected: 40 000+
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Ram Gall (WordFence) in WordPress Easy Social Icons plugin (versions <= 3.0.8).

Update the WordPress Easy Social Icons plugin to the latest available version (at least 3.0.9).

Gutenberg Template Library & Redux Framework

Library of WordPress blocks and templates for Gutenberg.

Vulnerability: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Fixed in version: 4.2.13
Number of sites affected: 1+ million
CVSS 3.0 score: 7.1 (high - requires contributor or higher user role)

Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion vulnerability discovered by Ramuel Gall (WordFence) in WordPress Redux Framework plugin (versions <= 4.2.11).

Update the WordPress Redux Framework plugin to the latest available version (at least 4.2.13).

Responsive 3D Slider

Responsive 3D Slider is a WordPress plugin.

Vulnerability: Authenticated SQL Injection (SQLi)
Fixed in version: Plugin is closed and not available for download.
Number of sites affected: N/A
CVSS 3.0 score: 4.7 (medium - requires user with admin role)

Authenticated SQL Injection (SQLi) vulnerability discovered by Syed Sheeraz Ali in WordPress Responsive 3D Slider plugin (versions <= 1.2).

This plugin has been closed as of May 13, 2021, and is not available for download. Reason: Security Issue.

Simple Schools Staff Directory

Simple Schools Staff Directory is a WordPress plugin.

Vulnerability: Arbitrary File Upload
Fixed in version: Plugin is closed and not available for download.
Number of sites affected: N/A
CVSS 3.0 score: 7.2 (high - requires admin+ role user)

Arbitrary File Upload vulnerability discovered by Chuang Li in WordPress Simple Schools Staff Directory plugin (versions <= 1.1).

This plugin has been closed as of October 24, 2019, and is not available for download. Reason: Guideline Violation.

WP Video Lightbox

The WordPress Video Lightbox plugin allows you to embed videos on a page using a lightbox overlay display.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version: 1.9.3
Number of sites affected: 60 000+
CVSS 3.0 score: 5.4 (medium - requires user with contributor or higher role)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vishnupriya Ilango (Fortinet Fortiguard Labs) in WordPress WP Video Lightbox plugin (versions <= 1.9.2).

Update the WordPress WP Video Lightbox plugin to the latest available version (at least 1.9.3).

Product Feed on WooCommerce for Google

Easily generate and manage WooCommerce product feeds for popular merchants and marketplaces such as Amazon, Etsy, Google, Facebook, Snapchat, Instagram, Bing, Amazon, and more.

Vulnerability: Authenticated SQL Injection (SQLi)
Fixed in version: 3.4.0
Number of sites affected: 1 000+
CVSS 3.0 score: 5.4 (medium)

Authenticated SQL Injection (SQLi) vulnerability discovered by Syed Sheeraz Ali in WordPress Product Feed on WooCommerce for Google plugin (versions <= 3.3.0.3).

Update the WordPress Product Feed on WooCommerce for the Google plugin to the latest available version (at least 3.4.0).

underConstruction

Creates a ‘Coming Soon’ page that will show for all users who are not logged in. 

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version: 1.19
Number of sites affected: 80 000+
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Ram Gall (WordFence) in WordPress underConstruction plugin (versions <= 1.18).

Update the WordPress underConstruction plugin to the latest available version (at least 1.19).

ZoomSounds - WordPress Wave Audio Player with Playlist

ZoomSounds is a premium audio plugin for WordPress that allows you to build audio players and playlists.

Vulnerability: Unauthenticated Directory Traversal
Fixed in version: 6.50
Number of sites affected: 3 000+
CVSS 3.0 score: 7.5 (high - can be exploited remotely without any authentication)

Unauthenticated Directory Traversal vulnerability discovered by DigitalJessica Ltd in WordPress ZoomSounds premium plugin (versions <= 6.45).

Update the WordPress ZoomSounds premium plugin to the latest available version (at least 6.50).

WooCommerce Dynamic Pricing & Discounts

WooCommerce Dynamic Pricing & Discounts is an all-purpose pricing and promotion tool for online retailers.

Vulnerability: Unauthenticated Settings Export
Fixed in version: 2.4.2
Number of sites affected: 19 000+
CVSS 3.0 score: 5.3 (medium - can be exploited remotely without any authentication)

Unauthenticated Settings Export vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WooCommerce Dynamic Pricing & Discounts premium plugin (versions <= 2.4.1).

Update the WordPress WooCommerce Dynamic Pricing & Discounts premium plugin to the latest available version (at least 2.4.2).

Vulnerability: Unauthenticated Settings Import and Stored XSS
Fixed in version: 2.4.2
Number of sites affected: 19 000+
CVSS 3.0 score: 7.1 (high - can be exploited remotely without any authentication)

Unauthenticated Settings Import and Stored XSS vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WooCommerce Dynamic Pricing & Discounts premium plugin (versions <= 2.4.1).

Update the WordPress WooCommerce Dynamic Pricing & Discounts premium plugin to the latest available version (at least 2.4.2).

Advanced Custom Fields

Advanced Custom Fields turns WordPress sites into a fully-fledged content management system by giving you all the tools to do more with your data.

Vulnerability: Arbitrary ACF Data/Field Groups View and Fields Move
Fixed in version: 5.10
Number of sites affected: 1+ million
CVSS 3.0 score: 5.4 (medium - possible with a subscriber or higher role user)

Arbitrary ACF Data/Field Groups View and Fields Move vulnerability discovered by Keitaro Yamazaki in WordPress Advanced Custom Fields plugin (versions <= 5.9.9).

Update the WordPress Advanced Custom Fields plugin to the latest available version (at least 5.10).

WP iCommerce

WP iCommerce – the first interactive eCommerce for WordPress.

Vulnerability: Authenticated SQL Injection (SQLi)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.7 (medium)

Authenticated SQL Injection (SQLi) vulnerability discovered by Syed Sheeraz Ali in WordPress WP iCommerce plugin (versions <= 1.1.1).

This plugin has been closed as of May 13, 2021, and is not available for download. Reason: Security Issue.

Booster for WooCommerce

Add customized functionality to your WooCommerce business with more than one hundred modules. 

Vulnerability: Authentication Bypass
Fixed in version:
5.4.4
Number of sites affected: 80 000+
CVSS 3.0 score: 9.8 (critical)

Authentication Bypass vulnerability discovered by Chloe Chamberland (WordFence) in WordPress Booster for WooCommerce plugin (versions <= 5.4.3).

Update the WordPress Booster for WooCommerce plugin to the latest available version (at least 5.4.4).

Real Media Library Lite

Real Media Library helps you with media management. 

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
4.14.2
Number of sites affected: 40 000+
CVSS 3.0 score: 6.4 (medium - possible only with author role user)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Thinkland Security Team in WordPress Real Media Library Lite plugin (versions <= 4.14.1).

Update the WordPress Real Media Library Lite plugin to the latest available version (at least 4.14.2).

Page Contact

Page Contact is a WordPress plugin.

Vulnerability: Authenticated SQL Injection (SQLi)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.7 (medium)

Authenticated SQL Injection (SQLi) vulnerability discovered by Syed Sheeraz Ali in WordPress Page Contact plugin (versions <= 1.0).

This plugin has been closed as of May 13, 2021, and is not available for download. Reason: Security Issue.

Nested Pages

Provides a simple & intuitive drag and drop interface for managing your page structure and post ordering.

Vulnerability: Open Redirect
Fixed in version:
3.1.16
Number of sites affected: 80 000+
CVSS 3.0 score: 4.7 (medium)

Open Redirect vulnerability discovered by Ram Gall (WordFence) in WordPress Nested Pages plugin (versions <= 3.1.15).

Update the WordPress Nested Pages plugin to the latest available version (at least 3.1.16).

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
3.1.16
Number of sites affected: 80 000+
CVSS 3.0 score: 7.1 (high)

Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Post Deletion and Modification discovered by Ram Gall (WordFence) in WordPress Nested Pages plugin (versions <= 3.1.15).

Update the WordPress Nested Pages plugin to the latest available version (at least 3.1.16).

Shopping Cart & eCommerce Store

WordPress Vulnerability News

Shopping Cart & eCommerce Store is a WordPress plugin.

Vulnerability: CSRF leading to Stored XSS 
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 8.8 (high)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Xu-Liang Liao in WordPress Shopping Cart & eCommerce Store plugin (versions <= 5.1.1).

This plugin has been closed as of August 17, 2021, and is not available for download. This closure is temporary, pending a full review.

Simple Social Buttons

WordPress Vulnerability News

Simple Social Buttons adds options like Sidebar, inline, above and below the content of the post, on photos, popups, and more.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
3.2.3
Number of sites affected: 40 000+
CVSS 3.0 score: 5.4 (medium - requires contributor or higher user role)

Stored Cross-Site Scripting (XSS) vulnerability discovered by apple502j in WordPress Simple Social Media Share Buttons plugin (versions <= 3.2.2).

Update the WordPress Simple Social Media Share Buttons plugin to the latest available version (at least 3.2.3).

Slider Hero with Animation, Video Background & Intro Maker

WordPress Vulnerability News

Slider Hero is a futuristic, responsive header Hero Slider plugin and Dynamic Website Intro Advert maker with Youtube Video background and animated background effects for hero banners, hero sliders, and Landing pages.

Vulnerability: SQL Injection (SQLi)
Fixed in version:
8.2.7
Number of sites affected: 4 000+
CVSS 3.0 score: 5.4 (medium - requires contributor or higher user role)

SQL Injection (SQLi) vulnerability discovered by apple502j in WordPress Slider Hero plugin (versions <= 8.2.6).

Update the WordPress Slider Hero plugin to the latest available version (at least 8.2.7).

GiveWP – Donation Plugin and Fundraising Platform

WordPress Vulnerability News

GiveWP is a donation plugin for WordPress. 

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
2.12.0
Number of sites affected: 100 000+
CVSS 3.0 score: 4.8 (medium)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas in WordPress GiveWP plugin (versions <= 2.11.3).

Update the WordPress GiveWP plugin to the latest available version (at least 2.12.0).

Grid Gallery – Photo Image Grid Gallery

grid gallery WordPress Vulnerability News

You can create photo galleries with the Grid Gallery plugin.

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
1.2.5
Number of sites affected: 700+
CVSS 3.0 score: 4.8 (medium)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Amal E Thamban in WordPress Grid Gallery plugin (versions <= 1.2.4).

Update the WordPress Grid Gallery plugin to the latest available version (at least 1.2.5).

Charitable – Donation Plugin

charitable vulnerability in plugin

With Charitable, you can create fundraising campaigns.

Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
1.6.51
Number of sites affected: 10 000+
CVSS 3.0 score: 6.1 (medium)

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Eric Daams in WordPress Charitable plugin (versions <= 1.6.50).

Update the WordPress Charitable plugin to the latest available version (at least 1.6.51).

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
1.6.51
Number of sites affected: 10 000+
CVSS 3.0 score: 5.4 (medium)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Muhammad Daffa in WordPress Charitable plugin (versions <= 1.6.50).

Update the WordPress Charitable plugin to the latest available version (at least 1.6.51).

SEOPress, on-site SEO

SEOPress, on-site SEO WordPress Vulnerability News

SEOPress is a WordPress SEO plugin to optimize your SEO.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
5.0.4
Number of sites affected: 100 000+
CVSS 3.0 score: 6.4 (medium)

Stored Cross-Site Scripting (XSS) vulnerability via REST-API discovered by Chloe Chamberland (WordFence) in WordPress SEOPress, on-site SEO plugin (versions 5.0.0 – 5.0.3).

Update the WordPress SEOPress, on-site SEO plugin to the latest available version (at least 5.0.4).

RAYS Grid

wordpress vulnerability news

This is a WordPress plugin.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress RAYS Grid plugin (versions <= 1.2.3).

This plugin has been closed as of June 15, 2021, and is not available for download. Reason: Security Issue.

Sync to Etsy Marketplace from WooCommerce

wordpress vulnerability news

This is a WordPress plugin.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Sync to Etsy Marketplace from WooCommerce plugin (versions <= 3.3.2).

This plugin has been closed as of June 15, 2021, and is not available for download. Reason: Security Issue.

Opal Estate

wordpress vulnerability news

Opal Estate is a WordPress plugin.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Opal Estate plugin (versions <= 1.6.11).

This plugin has been closed as of June 15, 2021, and is not available for download. Reason: Security Issue.

WordPress Photo Gallery – Image Gallery

wordpress vulnerability news

WordPress Photo Gallery is a WordPress plugin.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WordPress Photo Gallery – Image Gallery plugin (versions <= 1.0.8).

This plugin has been closed as of June 15, 2021, and is not available for download. Reason: Security Issue.

Event Espresso 4 Decaf

wordpress vulnerability news

Event Espresso 4 Decaf is a WordPress plugin.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Event Espresso 4 Decaf plugin (versions <= 4.10.12.decaf).

This plugin has been closed as of June 15, 2021, and is not available for download. Reason: Security Issue.

WP Security Question

wordpress vulnerability news

WP Security Question is a WordPress plugin.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WP Security Question plugin (versions <= 1.0.5).

This plugin has been closed as of June 15, 2021, and is not available for download. Reason: Security Issue.

WP-Backgrounds Lite

wordpress vulnerability news

WP-Backgrounds Lite is a WordPress plugin.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WP-Backgrounds Lite plugin (versions <= 2.3).

This plugin has been closed as of June 15, 2021, and is not available for download. Reason: Security Issue.

SP Project & Document Manager

wordpress vulnerability news

SP Project & Document Manager is a WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium)

Attribute-based Reflected Cross-Site Scripting (XSS) vulnerability discovered by Thinkland Security Team in WordPress SP Project & Document Manager plugin (versions <= 4.25).

This plugin has been closed as of August 11, 2021 and is not available for download. This closure is temporary, pending a full review.

Multiplayer Games

wordpress vulnerability news

A WordPress plugin.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by p7e4 in WordPress Multiplayer Games plugin (versions <= 3.7).

This plugin has been closed as of August 12, 2021, and is not available for download. This closure is temporary, pending a full review.

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Kentaro Kuroki (Cryptography Laboratory - Tokyo Denki University) in WordPress Post Index plugin (versions <= 0.7.5).

This plugin has been closed as of July 20, 2021 and is not available for download. This closure is temporary, pending a full review.

Poll Maker

A WordPress plugin to make polls.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version:
3.2.9
Number of sites affected: 2 000+
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Xu-Liang Liao in WordPress Poll Maker plugin (versions <= 3.2.8).

Update the WordPress Poll Maker plugin to the latest available version (at least 3.2.9).

Favicon

Generate and setup a favicon for desktop browsers, iPhone/iPad, Android devices, Windows 8 tablets and more.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version:
-
Number of sites affected: 200 000+
CVSS 3.0 score: 4.8 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by renniepak in WordPress Favicon plugin (versions <= 1.3.20).

According to WPScanTeam, there were attempts to contact the vendor, but the vulnerability was disclosed due to the vendor's lack of response. Timeline (WPScanTeam): June 28th, 2021 - Details sent to vendor July 9th, 2021 - Escalated to WP due to lack of response from vendor July 27th, 2021 - No update, disclosing.

FluentSMTP

Fluent SMTP plugin fixes your email delivery issue by connecting WordPress Mail with your email service providers. 

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
2.0.1
Number of sites affected: 20 000+
CVSS 3.0 score: 4.8 (medium - can be exploited by authenticated users with plugins management capabilities)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by YoshiKen in WordPress FluentSMTP plugin (versions <= 2.0.0).

Update the WordPress FluentSMTP plugin to the latest available version (at least 2.0.1).

Youtube Feeder

Add a Youtube video feed on your WordPress blog. 

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)
Fixed in version:
no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 8.8 (high - can be exploited remotely without any authentication)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Kohei Hino (Cryptography Laboratory - Tokyo Denki University) in WordPress Youtube Feeder plugin (versions <= 2.0.1).

This plugin has been closed as of July 29, 2021 and is not available for download. This closure is temporary, pending a full review.

Nifty Newsletters (Formerly Sola Newsletters)

Create and send newsletters, automatic post notifications and autoresponders that are modern and beautiful with our unique newsletter editor.

Vulnerability: Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)
Fixed in version:
no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 8.8 (high - can be exploited remotely without any authentication)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) discovered by Kohei Hino (Cryptography Laboratory - Tokyo Denki University) in WordPress Nifty Newsletters plugin (versions <= 4.0.23).

This plugin has been closed as of July 29, 2021 and is not available for download. This closure is temporary, pending a full review.

WP Fusion Lite

WP Fusion Lite synchronizes your WordPress users with leading CRMs and marketing automation systems, keeps user profiles in sync with CRM contact records, and more.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
3.37.30
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version:
3.37.30
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium - can be exploited remotely without any authentication)

Multiple vulnerabilities were discovered by Xu-Liang Liao in the WordPress WP Fusion Lite plugin (versions <= 3.37.18).

This plugin has been closed as of August 6, 2021, and is not available for download. This closure is temporary, pending a full review.

WordPress Download Manager

WordPress Download Manager

WordPress Download Manager is a file and document management plugin to manage, track and control file downloads from your WordPress site. 

Vulnerability: Authenticated Directory Traversal
Fixed in version:
3.1.25
Number of sites affected: 100 000+
CVSS 3.0 score: 6.5 (medium - requires contributor or higher user role)

Vulnerability: Authenticated File Upload
Fixed in version:
3.1.25
Number of sites affected: 100 000+
CVSS 3.0 score: 7.5 (high - requires authentication with author or other users role with the upload_files capability)

Multiple vulnerabilities were discovered by Ramuel Gall (WordFence) in the WordPress WordPress Download Manager plugin (versions <= 3.1.24).

Update the WordPress WordPress Download Manager plugin to the latest available version (at least 3.1.25).

HD Quiz

wordpress vulnerability news

HD Quiz is a plugin to create quizzes and embed them onto any page or post. 

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
1.8.4
Number of sites affected: 7 000+
CVSS 3.0 score: 5.4 (medium)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas in WordPress HD Quiz plugin (versions <= 1.8.3).

Update the WordPress HD Quiz plugin to the latest available version (at least 1.8.4).

Membership & Content Restriction - Paid Member Subscriptions

A membership solution, allowing you to accept member payments, manage members, create subscription plans and restrict access to premium content.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version:
2.4.2
Number of sites affected: 10 000+
CVSS 3.0 score: 5.4 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress Paid Member Subscriptions plugin (versions <= 2.4.1).

Update the WordPress Paid Member Subscriptions plugin to the latest available version (at least 2.4.2).

Advanced Shipment Tracking for WooCommerce

Advanced Shipment Tracking for WooCommerce plugin vulnerability

Advanced Shipment Tracking (AST) provides all you need to manage and automate the WooCommerce fulfillment workflow.

Vulnerability: Authenticated WordPress Options Change
Fixed in version:
3.2.7
Number of sites affected: 50 000+
CVSS 3.0 score: 9.9 (critical - can be exploited by all authenticated users and WooCommerce customers)

Authenticated WordPress Options Change vulnerability discovered by Jerome Bruandet in WordPress Advanced Shipment Tracking for WooCommerce plugin (versions <= 3.2.6).

Update the WordPress Advanced Shipment Tracking for WooCommerce plugin to the latest available version (at least 3.2.7).

Simple Post

WordPress plugin.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.4 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vikas Srivastava in WordPress Simple Post plugin (versions <= 1.1).

This plugin has been closed as of July 23, 2021, and is not available for download. This closure is temporary, pending a full review.

WOOCS – WooCommerce Currency Switcher

WOOCS – WooCommerce Currency Switcher. Professional and Free multi currency plugin – Pay in selected currency

WOOCS is a multi-currency plugin that allows adding any currency to a WooCommerce store.

Vulnerability: Local File Inclusion (LFI) leading vulnerability to Remote Code Execution (RCE)
Fixed in version:
1.3.7
Number of sites affected: 60 000+
CVSS 3.0 score: 9.9 (critical - exploitable by any logged-in users with the capability to render shortcodes)

Local File Inclusion (LFI) leading vulnerability to Remote Code Execution (RCE) discovered by Marc Montpas (Automattic) in WordPress WOOCS – WooCommerce Currency Switcher plugin (versions <= 1.3.6.2).

Update the WordPress WOOCS – WooCommerce Currency Switcher plugin to the latest available version (at least 1.3.7).

KN Fix Your Title

wordpress vulnerability news

With this plugin, you can fix and handle your blog title.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Aakash Choudhary in WordPress KN Fix Your Title plugin (versions <= 1.0.1).

This plugin has been closed as of July 20, 2021, and is not available for download. This closure is temporary, pending a full review.

 Custom Login Redirect

Redirect WordPress login.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS discovered by Vinay Bhuria in WordPress Custom Login Redirect plugin (versions <= 1.0.0).

This plugin has been closed as of June 14, 2021 and is not available for download. This closure is temporary, pending a full review.

Mimetic Books

This plugin allows WordPress bloggers to create books utilizing the Mimetic Books publishing system.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vikas Srivastava in WordPress Mimetic Books plugin (versions <= 0.2.13).

This plugin has been closed as of July 19, 2021, and is not available for download. This closure is temporary, pending a full review.

WPFront Notification Bar

WPFront Notification Bar plugin lets you display a notification about a promotion or news.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version:
2.0.0
Number of sites affected: 60 000+
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress WPFront Notification Bar plugin (versions <= 1.9.2).

Update the WordPress WPFront Notification Bar plugin to the latest available version (at least 2.0.0).

WooCommerce

WooCommerce is the world’s most popular open-source eCommerce solution.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version:
5.5.1
Number of sites affected: 5+ million
CVSS 3.0 score: 8.2 (high)

Unauthenticated SQL Injection (SQLi) vulnerability discovered in WordPress WooCommerce plugin (versions <= 5.5.0).

Update the WordPress WooCommerce plugin to the latest available version (at least 5.5.1).

WooCommerce Blocks

WooCommerce Blocks are the easiest, most flexible way to display your products on posts and pages.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version:
5.5.1
Number of sites affected: 200 000+
CVSS 3.0 score: 8.2 (high)

Unauthenticated SQL Injection (SQLi) vulnerability discovered in WordPress WooCommerce Blocks plugin (versions <= 5.5.0).

Update the WordPress WooCommerce Blocks plugin to the latest available version (at least 5.5.1).

Current Book

This plugin will help you to show the book title and writer of the book you're currently reading to your viewers/readers.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vikas Srivastava in WordPress Current Book plugin (versions <= 1.0.1).

This plugin has been closed as of July 15, 2021, and is not available for download. This closure is temporary, pending a full review.

Frontend File Manager

This plugin lets the WordPress site users upload files for admin.

Vulnerability: Unauthenticated HTML Injection
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 7.3 (high)

Vulnerability: Privilege Escalation vulnerability
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.3 (medium)

Vulnerability: Unauthenticated Content Injection and Stored XSS
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 6.1 (medium)

Vulnerability: Authenticated Settings Change and Arbitrary File Upload
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.4 (medium)

Vulnerability: Unauthenticated Arbitrary Post Deletion
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.3 (medium)

Vulnerability: Unauthenticated Post Meta Change and Arbitrary File Download
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.3 (medium)

Multiple vulnerabilities were discovered by Jerome Bruandet (NinTechNet) in WordPress Frontend File Manager plugin (versions <= 18.2).

Update the WordPress Frontend File Manager plugin to the latest available version (at least 18.3).

WPFront Notification Bar

WPFront Notification Bar plugin lets you display a notification about a promotion or news.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
1.9.2
Number of sites affected: 60 000+
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Swapnil Subhash Bodekar in WordPress WPFront Notification Bar plugin (versions <= 1.9.1).

Update the WordPress WPFront Notification Bar plugin to the latest available version (at least 1.9.2).

MDTF - WordPress Meta Data & Taxonomies Filter

WordPress Meta Data Filter & Taxonomies Filter – MDTF – the plugin for searching and filtering WordPress content – posts and their custom types by taxonomies and metadata fields.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
1.2.8
Number of sites affected: 3 000+
CVSS 3.0 score: 4.3 (medium - can be exploited remotely without any authentication.)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Ryoma Nishioka in WordPress Meta Data and Taxonomies Filter (MDTF) plugin (versions <= 1.2.7.2).

Update the WordPress Meta Data and Taxonomies Filter (MDTF) plugin to the latest available version (at least 1.2.8).

WP Upload Restriction

Restrict file uploading permissions for the users. 

Vulnerability: Missing access control in deleteCustomType function
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.3 (medium)

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.4 (medium)

This plugin has been closed as of July 1, 2021, and is not available for download. This closure is temporary, pending a full review.

WPCS – WordPress Currency Switcher

WordPress Currency Switcher (WPCS) is a WordPress currency plugin, that allows your site visitors to switch prices currencies in your site content according to set currencies rates in real-time.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
1.1.7
Number of sites affected: 1 000+
CVSS 3.0 score: 4.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Mizuki Takagi (Cryptography Laboratory, Tokyo Denki University) in WordPress WPCS plugin (versions <= 1.1.6).

Update the WordPress WPCS plugin to the latest available version (at least 1.1.7).

WordPress Email Template Designer – WP HTML Mail

Create your own professional email design within a few minutes without any coding.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
3.0.8
Number of sites affected: 20 000+
CVSS 3.0 score: 4.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Konan Nagashima in WordPress WP HTML Mail plugin (versions <= 3.0.6).

Update the WordPress WP HTML Mail plugin to the latest available version (at least 3.0.8).

Slider Hero with Animation, Video Background & Intro Maker

Slider Hero is a futuristic, responsive header Hero Slider plugin and Dynamic Website Intro Advert maker with Youtube Video background and animated background effects for hero banners, hero sliders, and Landing pages.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
8.2.1
Number of sites affected: 4 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Slider Hero plugin (versions < = 8.2.0).

Update the WordPress Slider Hero plugin to the latest available version (at least 8.2.0).

Amministrazione Trasparente

Periodic updates, flexible, intuitive, and fast insertion, support for advanced item cataloging (AT sections, categories, tags) and back-end data filtering, and more.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
7.1.1
Number of sites affected: 2 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Amministrazione Trasparente plugin (versions <= 7.1).

Update the WordPress Amministrazione Trasparente plugin to the latest available version (at least 7.1.1).

Vuukle Comments, Reactions, Share Bar, Revenue

Vuukle offers a unique and visually interactive sharing tool called the PowerBar.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
4.0.1
Number of sites affected: 1 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Vuukle Comments, Reactions, Share Bar, Revenue plugin (versions <= 3.4.31).

Update the WordPress Vuukle Comments, Reactions, Share Bar, Revenue plugin to the latest available version (at least 4.0.1).

WP EasyPay – Square for WordPress

WP EasyPay is a fast, and secure WordPress plugin designed to simplify the way your website accepts Square payments.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
3.2.3
Number of sites affected: 2 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WP EasyPay plugin (versions <= 3.2.0).

Update the WordPress WP EasyPay plugin to the latest available version (at least 3.2.3).

Abandoned Cart Recovery for WooCommerce

WooCommerce Abandoned Cart Recovery is a WooCommerce extension that helps you to recovery unfinished orders in your store.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
1.0.4.1
Number of sites affected: 5 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Abandoned Cart Recovery for WooCommerce plugin (versions <= 1.0.4).

Update the WordPress Abandoned Cart Recovery for WooCommerce plugin to the latest available version (at least 1.0.4.1).

Locations

Add a Locations page to your website to help your customers find the store closest to them. 

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
4.0
Number of sites affected: 1 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Locations plugin (versions <= 3.2.1).

Update the WordPress Locations plugin to the latest available version (at least 4.0).

PWA for WP & AMP

PWA plugin is bringing the power of the Progressive Web Apps to the WP & AMP to take the user experience to the next level.

Vulnerability: Authenticated arbitrary file upload
Fixed in version:
1.7.33
Number of sites affected: 20 000+
CVSS 3.0 score: 8.8 (high - requires subscriber or higher role user authentication.)

Authenticated Arbitrary File Upload vulnerability discovered by Jerome Bruandet in WordPress PWA for WP & AMP plugin (versions <= 1.7.32).

Update the WordPress PWA for WP & AMP plugin to the latest available version (at least 1.7.33).

WordPress Vulnerability News - Conclusion

See the full list of vulnerabilities here.

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily.

Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated.

To be able to fight back, you have a small time window to take action. In such cases, the virtual patches have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

Patchstack gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our security engine is updated on a daily basis.

Websites with a Patchstack installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Start your 7-day free trial and join 50,000+ other developers
Get Patchstack
Share This Article
30-DAY MONEY BACK GUARANTEE

Start your free 7-day trial and join 50,000+ other businesses

Get started now
crossmenu