Updated: March 8, 2021

WordPress Vulnerability News, July 2021

Agnes Talalaev
from patchstack

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

In July we have listed 26 vulnerable plugins that affect more than 5.7 million sites.

Keeping up to date with security vulnerabilities in WordPress and other CMS's is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the Patchstack security module. It means that if you use Patchstack, your site is safe from these vulnerabilities, but it's always strongly advised to update or delete vulnerable plugins from your site.

You can find all the vulnerabilities mentioned in our WordPress vulnerability news from our vulnerability database.

WordPress Download Manager

WordPress Download Manager

WordPress Download Manager is a file and document management plugin to manage, track and control file downloads from your WordPress site. 

Vulnerability: Authenticated Directory Traversal
Fixed in version:
3.1.25
Number of sites affected: 100 000+
CVSS 3.0 score: 6.5 (medium - requires contributor or higher user role)

Vulnerability: Authenticated File Upload
Fixed in version:
3.1.25
Number of sites affected: 100 000+
CVSS 3.0 score: 7.5 (high - requires authentication with author or other users role with the upload_files capability)

Multiple vulnerabilities were discovered by Ramuel Gall (WordFence) in the WordPress WordPress Download Manager plugin (versions <= 3.1.24).

Update the WordPress WordPress Download Manager plugin to the latest available version (at least 3.1.25).

HD Quiz

wordpress vulnerability news

HD Quiz is a plugin to create quizzes and embed them onto any page or post. 

Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Fixed in version:
1.8.4
Number of sites affected: 7 000+
CVSS 3.0 score: 5.4 (medium)

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas in WordPress HD Quiz plugin (versions <= 1.8.3).

Update the WordPress HD Quiz plugin to the latest available version (at least 1.8.4).

Membership & Content Restriction - Paid Member Subscriptions

A membership solution, allowing you to accept member payments, manage members, create subscription plans and restrict access to premium content.

Vulnerability: Reflected Cross-Site Scripting (XSS)
Fixed in version:
2.4.2
Number of sites affected: 10 000+
CVSS 3.0 score: 5.4 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress Paid Member Subscriptions plugin (versions <= 2.4.1).

Update the WordPress Paid Member Subscriptions plugin to the latest available version (at least 2.4.2).

Advanced Shipment Tracking for WooCommerce

Advanced Shipment Tracking for WooCommerce plugin vulnerability

Advanced Shipment Tracking (AST) provides all you need to manage and automate the WooCommerce fulfillment workflow.

Vulnerability: Authenticated WordPress Options Change
Fixed in version:
3.2.7
Number of sites affected: 50 000+
CVSS 3.0 score: 9.9 (critical - can be exploited by all authenticated users and WooCommerce customers)

Authenticated WordPress Options Change vulnerability discovered by Jerome Bruandet in WordPress Advanced Shipment Tracking for WooCommerce plugin (versions <= 3.2.6).

Update the WordPress Advanced Shipment Tracking for WooCommerce plugin to the latest available version (at least 3.2.7).

Simple Post

WordPress plugin.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 5.4 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vikas Srivastava in WordPress Simple Post plugin (versions <= 1.1).

This plugin has been closed as of July 23, 2021, and is not available for download. This closure is temporary, pending a full review.

WOOCS – WooCommerce Currency Switcher

WOOCS – WooCommerce Currency Switcher. Professional and Free multi currency plugin – Pay in selected currency

WOOCS is a multi-currency plugin that allows adding any currency to a WooCommerce store.

Vulnerability: Local File Inclusion (LFI) leading vulnerability to Remote Code Execution (RCE)
Fixed in version:
1.3.7
Number of sites affected: 60 000+
CVSS 3.0 score: 9.9 (critical - exploitable by any logged-in users with the capability to render shortcodes)

Local File Inclusion (LFI) leading vulnerability to Remote Code Execution (RCE) discovered by Marc Montpas (Automattic) in WordPress WOOCS – WooCommerce Currency Switcher plugin (versions <= 1.3.6.2).

Update the WordPress WOOCS – WooCommerce Currency Switcher plugin to the latest available version (at least 1.3.7).

KN Fix Your Title

wordpress vulnerability news

With this plugin, you can fix and handle your blog title.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Aakash Choudhary in WordPress KN Fix Your Title plugin (versions <= 1.0.1).

This plugin has been closed as of July 20, 2021, and is not available for download. This closure is temporary, pending a full review.

 Custom Login Redirect

Redirect WordPress login.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS discovered by Vinay Bhuria in WordPress Custom Login Redirect plugin (versions <= 1.0.0).

This plugin has been closed as of June 14, 2021 and is not available for download. This closure is temporary, pending a full review.

Mimetic Books

This plugin allows WordPress bloggers to create books utilizing the Mimetic Books publishing system.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vikas Srivastava in WordPress Mimetic Books plugin (versions <= 0.2.13).

This plugin has been closed as of July 19, 2021, and is not available for download. This closure is temporary, pending a full review.

WPFront Notification Bar

WPFront Notification Bar plugin lets you display a notification about a promotion or news.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version:
2.0.0
Number of sites affected: 60 000+
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress WPFront Notification Bar plugin (versions <= 1.9.2).

Update the WordPress WPFront Notification Bar plugin to the latest available version (at least 2.0.0).

WooCommerce

WooCommerce is the world’s most popular open-source eCommerce solution.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version:
5.5.1
Number of sites affected: 5+ million
CVSS 3.0 score: 8.2 (high)

Unauthenticated SQL Injection (SQLi) vulnerability discovered in WordPress WooCommerce plugin (versions <= 5.5.0).

Update the WordPress WooCommerce plugin to the latest available version (at least 5.5.1).

WooCommerce Blocks

WooCommerce Blocks are the easiest, most flexible way to display your products on posts and pages.

Vulnerability: Unauthenticated SQL Injection (SQLi)
Fixed in version:
5.5.1
Number of sites affected: 200 000+
CVSS 3.0 score: 8.2 (high)

Unauthenticated SQL Injection (SQLi) vulnerability discovered in WordPress WooCommerce Blocks plugin (versions <= 5.5.0).

Update the WordPress WooCommerce Blocks plugin to the latest available version (at least 5.5.1).

Current Book

This plugin will help you to show the book title and writer of the book you're currently reading to your viewers/readers.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Vikas Srivastava in WordPress Current Book plugin (versions <= 1.0.1).

This plugin has been closed as of July 15, 2021, and is not available for download. This closure is temporary, pending a full review.

Frontend File Manager

This plugin lets the WordPress site users upload files for admin.

Vulnerability: Unauthenticated HTML Injection
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 7.3 (high)

Vulnerability: Privilege Escalation vulnerability
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.3 (medium)

Vulnerability: Unauthenticated Content Injection and Stored XSS
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 6.1 (medium)

Vulnerability: Authenticated Settings Change and Arbitrary File Upload
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.4 (medium)

Vulnerability: Unauthenticated Arbitrary Post Deletion
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.3 (medium)

Vulnerability: Unauthenticated Post Meta Change and Arbitrary File Download
Fixed in version:
18.3
Number of sites affected: 2 000+
CVSS 3.0 score: 5.3 (medium)

Multiple vulnerabilities were discovered by Jerome Bruandet (NinTechNet) in WordPress Frontend File Manager plugin (versions <= 18.2).

Update the WordPress Frontend File Manager plugin to the latest available version (at least 18.3).

WPFront Notification Bar

WPFront Notification Bar plugin lets you display a notification about a promotion or news.

Vulnerability: Stored Cross-Site Scripting (XSS)
Fixed in version:
1.9.2
Number of sites affected: 60 000+
CVSS 3.0 score: 4.8 (medium)

Stored Cross-Site Scripting (XSS) vulnerability discovered by Swapnil Subhash Bodekar in WordPress WPFront Notification Bar plugin (versions <= 1.9.1).

Update the WordPress WPFront Notification Bar plugin to the latest available version (at least 1.9.2).

MDTF - WordPress Meta Data & Taxonomies Filter

WordPress Meta Data Filter & Taxonomies Filter – MDTF – the plugin for searching and filtering WordPress content – posts and their custom types by taxonomies and metadata fields.

Vulnerability: Cross-Site Request Forgery (CSRF)
Fixed in version:
1.2.8
Number of sites affected: 3 000+
CVSS 3.0 score: 4.3 (medium - can be exploited remotely without any authentication.)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Ryoma Nishioka in WordPress Meta Data and Taxonomies Filter (MDTF) plugin (versions <= 1.2.7.2).

Update the WordPress Meta Data and Taxonomies Filter (MDTF) plugin to the latest available version (at least 1.2.8).

WP Upload Restriction

Restrict file uploading permissions for the users. 

Vulnerability: Missing access control in deleteCustomType function
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 4.3 (medium)

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 6.4 (medium)

This plugin has been closed as of July 1, 2021, and is not available for download. This closure is temporary, pending a full review.

WPCS – WordPress Currency Switcher

WordPress Currency Switcher (WPCS) is a WordPress currency plugin, that allows your site visitors to switch prices currencies in your site content according to set currencies rates in real-time.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
1.1.7
Number of sites affected: 1 000+
CVSS 3.0 score: 4.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Mizuki Takagi (Cryptography Laboratory, Tokyo Denki University) in WordPress WPCS plugin (versions <= 1.1.6).

Update the WordPress WPCS plugin to the latest available version (at least 1.1.7).

WordPress Email Template Designer – WP HTML Mail

Create your own professional email design within a few minutes without any coding.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
3.0.8
Number of sites affected: 20 000+
CVSS 3.0 score: 4.3 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Konan Nagashima in WordPress WP HTML Mail plugin (versions <= 3.0.6).

Update the WordPress WP HTML Mail plugin to the latest available version (at least 3.0.8).

Slider Hero with Animation, Video Background & Intro Maker

Slider Hero is a futuristic, responsive header Hero Slider plugin and Dynamic Website Intro Advert maker with Youtube Video background and animated background effects for hero banners, hero sliders, and Landing pages.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
8.2.1
Number of sites affected: 4 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Slider Hero plugin (versions < = 8.2.0).

Update the WordPress Slider Hero plugin to the latest available version (at least 8.2.0).

Amministrazione Trasparente

Periodic updates, flexible, intuitive, and fast insertion, support for advanced item cataloging (AT sections, categories, tags) and back-end data filtering, and more.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
7.1.1
Number of sites affected: 2 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Amministrazione Trasparente plugin (versions <= 7.1).

Update the WordPress Amministrazione Trasparente plugin to the latest available version (at least 7.1.1).

Vuukle Comments, Reactions, Share Bar, Revenue

Vuukle offers a unique and visually interactive sharing tool called the PowerBar.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
4.0.1
Number of sites affected: 1 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Vuukle Comments, Reactions, Share Bar, Revenue plugin (versions <= 3.4.31).

Update the WordPress Vuukle Comments, Reactions, Share Bar, Revenue plugin to the latest available version (at least 4.0.1).

WP EasyPay – Square for WordPress

WP EasyPay is a fast, and secure WordPress plugin designed to simplify the way your website accepts Square payments.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
3.2.3
Number of sites affected: 2 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress WP EasyPay plugin (versions <= 3.2.0).

Update the WordPress WP EasyPay plugin to the latest available version (at least 3.2.3).

Abandoned Cart Recovery for WooCommerce

WooCommerce Abandoned Cart Recovery is a WooCommerce extension that helps you to recovery unfinished orders in your store.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
1.0.4.1
Number of sites affected: 5 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Abandoned Cart Recovery for WooCommerce plugin (versions <= 1.0.4).

Update the WordPress Abandoned Cart Recovery for WooCommerce plugin to the latest available version (at least 1.0.4.1).

Locations

Add a Locations page to your website to help your customers find the store closest to them. 

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version:
4.0
Number of sites affected: 1 000+
CVSS 3.0 score: 4.7 (medium)

Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Locations plugin (versions <= 3.2.1).

Update the WordPress Locations plugin to the latest available version (at least 4.0).

PWA for WP & AMP

PWA plugin is bringing the power of the Progressive Web Apps to the WP & AMP to take the user experience to the next level.

Vulnerability: Authenticated arbitrary file upload
Fixed in version:
1.7.33
Number of sites affected: 20 000+
CVSS 3.0 score: 8.8 (high - requires subscriber or higher role user authentication.)

Authenticated Arbitrary File Upload vulnerability discovered by Jerome Bruandet in WordPress PWA for WP & AMP plugin (versions <= 1.7.32).

Update the WordPress PWA for WP & AMP plugin to the latest available version (at least 1.7.33).

May WordPress Vulnerability News

WP Super Edit

WP Super Edit vulnerability patchstack

WP Super Edit is designed to get control of the WordPress WYSIWYG visual editor and add some functionality with more buttons and customized TinyMCE plugins.

Vulnerability: Remote file upload
Fixed in version:
No known fix
Number of sites affected: 7 000+
CVSS 3.0 score: 8.6 (high - plugin does not exist, is not supported, or discontinued.)

Remote File Upload vulnerability discovered by h4shur in WordPress WP Super Edit plugin (versions <= 2.5.4).

No patched version is available at the moment. Deactivate and delete until the patched safe version is available.

MalCare Security

malcare vulnerability patchstack

A security plugin for WordPress.

Vulnerability: Authenticated cross-site scripting
Fixed in version: 4.58
Number of sites affected: 100 000+
CVSS 3.0 score: 4.8 (medium - possible only with admin authentication)

Authenticated Cross-Site Scripting (XSS) vulnerability discovered by Lenon Leite in WordPress MalCare Security plugin (versions <= 4.57).

Update the WordPress MalCare Security plugin to the latest available version (at least 4.58).

Spam Protection, Antispam, Firewall by CleanTalk

A security plugin for WordPress.

Vulnerability: Unauthenticated time-based blind SQL injection (SQLi)
Fixed in version: 5.153.4
Number of sites affected: 100 000+
CVSS 3.0 score: 7.5 (high)

Unauthenticated Time-Based Blind SQL Injection (SQLi) vulnerability discovered by WordFence in WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin (versions <= 5.153.3).

Update the WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin to the latest available version (at least 5.153.4).

April WordPress Vulnerability News

WooCommerce

woocommerce vulnerability

WooCommerce is a customizable, open-source eCommerce platform built on WordPress.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 5.2.0
Number of sites affected: 5+ million
CVSS 3.0 score: 5.4 (medium)

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress WooCommerce plugin (versions <= 5.1.0).

Update the WordPress WooCommerce plugin to the latest available version (at least 5.2.0).

AcyMailing SMTP Newsletter

Use our free WordPress newsletter plugin.

Vulnerability: Unauthenticated open redirect
Fixed in version: 7.5.0
Number of sites affected: 50 000+ 
CVSS 3.0 score: 5.3 (medium)

Unauthenticated Open Redirect vulnerability discovered by Viktor Markopoulos WordPress AcyMailing SMTP Newsletter plugin (versions <= 7.4.1).

Update the WordPress AcyMailing SMTP Newsletter plugin to the latest available version (at least 7.5.0).

Goto - Tour & Travel WordPress Theme

vulnerability in Goto - Tour & Travel WordPress Theme

Goto is a travel agency WordPress theme.

Vulnerability: Unauthenticated blind SQL injection (SQLi)
Fixed in version: 2.1
Number of sites affected: 300+ 
CVSS 3.0 score: 9.8 (critical - can be exploited remotely without any authentication) 

Unauthenticated Blind SQL Injection (SQLi) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress Goto premium theme (versions <= 2.0).

Update the WordPress Goto premium theme to the latest available version (at least 2.1).

WP Super Cache

This plugin generates static HTML files from your dynamic WordPress blog.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 1.7.3
Number of sites affected: 2+ million
CVSS 3.0 score: 5.4 (medium) 

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress WP Super Cache plugin (versions <= 1.7.2).

Update the WordPress WP Super Cache plugin to the latest available version (at least 1.7.3).

WP Fastest Cache

Improve your page load time with WP Fastest Cache.

Vulnerability: Authenticated arbitrary file deletion via path traversal
Fixed in version: 0.9.1.7
Number of sites affected: 1+ million
CVSS 3.0 score: 3.8 (low) 

Authenticated arbitrary file deletion via path traversal (CVSS score 3.8) vulnerability discovered by Gen Sato in WordPress WP Fastest Cache plugin (versions <= 0.9.1.6).

Update the WordPress WP Fastest Cache plugin to the latest available version (at least 0.9.1.7).

Store Locator Plus

Store Locator Plus® has all the features you need to create a location finder on your website.

Vulnerability: Multiple vulnerabilities
Fixed in version:
Plugin temporarily closed
Number of sites affected: N/A
CVSS 3.0 score: 7.2-9.9 (high-critical) 

Multiple vulnerabilities were discovered by the WordPress Store Locator Plus plugin (versions <= 5.5.15).

This plugin has been closed as of April 12, 2021, and is not available for download. This closure is temporary, pending a full review.

RSS for Yandex Turbo

Database Backup for WordPress allows you easily to backup your core WordPress database tables.

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: 1.30
Number of sites affected: 50 000+
CVSS 3.0 score: 6.5 (medium) 

Stored cross-site scripting (XSS) vulnerability discovered by Himamshu Dilip Kulkarni in WordPress RSS for Yandex Turbo plugin (versions <= 1.29).

Update the WordPress RSS for the Yandex Turbo plugin to the latest available version (at least 1.30).

Database Backup for WordPress

Database Backup for WordPress allows you easily to backup your core WordPress database tables.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 2.4
Number of sites affected: 100 000+
CVSS 3.0 score: 6.9 (medium) 

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in Database Backup for WordPress plugin (versions <= 2.3.3).

Update the Database Backup for the WordPress plugin to the latest available version (at least 2.4).

iThemes Security

IThemes offers 2FA, reCAPTCHA, and other hardening tools for WordPress.

Vulnerability: Hide backend bypass
Fixed in version: 7.9.1
Number of sites affected: 1+ million
CVSS 3.0 score: 4.3 (medium) 

Hide Backend Bypass vulnerability discovered by Julio Potier (SecuPress) in WordPress iThemes Security plugin (versions <= 7.9.0).

Update the WordPress iThemes Security plugin to the latest available version (at least 7.9.1).

SEO Redirection Plugin – 301 Redirect Manager

SEO Redirection is a redirect manager.

Vulnerability: Multiple vulnerabilities
Fixed in version: 6.4
Number of sites affected: 40 000+
CVSS 3.0 score: 6.5-6.8 (medium) 

Authenticated reflected cross-site scripting (XSS) and authenticated persistent cross-site scripting (XSS) vulnerabilities discovered by m0ze (Patchstack Red Team) in WordPress SEO Redirection plugin (versions <= 6.3).

Update the WordPress SEO Redirection plugin to the latest available version (at least 6.4).

GiveWP

wordpress vulnerability news

GiveWP is a donation plugin for WordPress.

Vulnerability: Authenticated persistent cross-site scripting (XSS)
Fixed in version: 2.10.2
Number of sites affected: 100 000+
CVSS 3.0 score: 6.5 (medium) 

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress GiveWP plugin (versions <= 2.10.1).

Update the WordPress GiveWP plugin to the latest available version (at least 2.10.2).

All 404 Redirect to Homepage

With this plugin, you can fix all random 404 links that appear on you your website and redirect them to the homepage or any other page using 301 SEO redirect.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 1.21
Number of sites affected: 200 000+
CVSS 3.0 score: 6.5 (medium) 

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress All 404 Redirect to Homepage plugin (versions <= 1.20).

Update the WordPress All 404 Redirect to Homepage plugin to the latest available version (at least 1.21).

Kaswara Modern WPBakery Page Builder Addons

Kaswara is the addon for WPBakery Page Builder WordPress plugin that addons a lot of great elements to build your unique layout.

Vulnerability: Arbitrary file upload/deletion
Fixed in version: Plugin removed from Envato repository. Deactivate and delete.
Number of sites affected: 10 000+
CVSS 3.0 score: 10 (critical) 

Arbitrary File Upload/Deletion vulnerabilities discovered by Robin Goodfellow in WordPress Modern WPBakery Page Builder Addons premium plugin (versions <= 3.0.1).

Due to the fact that this plugin has been closed and the plugin developer has been unresponsive, its strongly advised removing this plugin completely from your WordPress site as soon as possible.

The exploited flaw makes it possible for unauthenticated attackers to upload malicious PHP files to a WordPress site and ultimately achieve remote code execution to take over the site. Read more.

Redirection for Contact Form 7

An add-on for Contact Form 7 – redirect to any page you choose.

Vulnerability: Multiple vulnerabilities
Fixed in version: 2.3.4
Number of sites affected: 200 000+
CVSS 3.0 score: 4.2-7.5 (medium and high severity) 

Multiple vulnerabilities discovered by WordFence in WordPress Redirection for Contact Form 7 plugin.

More information here.

Ultimate Maps by Supsystic

Ultimate Maps by Supsystic

Supsystic Ultimate Maps plugin was developed after the changes in Google maps pricing policy.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 1.2.5
Number of sites affected: 10 000+
CVSS 3.0 score: 5.4 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by 0xB9 in WordPress Ultimate Maps by Supsystic plugin (versions <= 1.2.4).

Update the WordPress Ultimate Maps by Supsystic to the latest available version (at least 1.2.5).

Popup by Supsystic

Popup plugin by Supsystic.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 1.10.5
Number of sites affected: 30 000+
CVSS 3.0 score: 5.4 (medium)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by 0xB9 in WordPress Popup by Supsystic plugin (versions <= 1.10.4).

Update the WordPress Popup by Supsystic plugin to the latest available version (at least 1.10.5).

QIWI for WooCommerce

Woocommerce payment gateway.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress QIWI for WooCommerce plugin (versions <= 0.0.9).

This plugin has been closed as of April 12, 2021, and is not available for download. This closure is temporary, pending a full review.

Teamleader CRM Forms

The Teamleader CRM Forms integration is a plugin to register leads or contacts directly from your WordPress website or landing page.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress Teamleader CRM Forms plugin (versions <= 2.0.0).

This plugin has been closed as of April 12, 2021, and is not available for download. This closure is temporary, pending a full review.

Invoicing with InvoiceXpress for WooCommerce – Free

“Invoicing with InvoiceXpress for WooCommerce – Free” allows you to easily create legal invoices for your WooCommerce orders.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 3.0.3
Number of sites affected: 100+
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress Invoicing with InvoiceXpress for WooCommerce plugin (versions <= 3.0.2).

Update the WordPress Invoicing with InvoiceXpress for the WooCommerce plugin to the latest available version (at least 3.0.3).

Shopello API

This plugin enables your WordPress website to make use of a listing shortcode.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version:
Plugin does not exist, is not supported, or discontinued.
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Frank Liauw in WordPress Shopello API plugin (versions <= 2.9.0).

This plugin has been closed as of April 12, 2021, and is not available for download. This closure is temporary, pending a full review.

WordPress core 4.7-5.7

The world's most popular website builder. 41% of the web is built on WordPress.

Vulnerability: Sensitive data exposure
Fixed in version: 5.7.1
Number of sites affected: N/A
CVSS 3.0 score: 5.3 (medium)

Vulnerability: XML external entity (XXE)
Fixed in version: 5.7.1
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium) (Affecting PHP 8) 

Sensitive data exposure and XML external entity (XXE) vulnerabilities discovered by SonarSource in WordPress core (versions 4.7-5.7.)

Update the WordPress core to the latest available version (at least 5.7.1).

Sina Extension for Elementor

This is an extension or addon for the Elementor page builder. It will extend the Elementor and increase the web page building experience.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 3.3.12
Number of sites affected: 10 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Sina Extension for Elementor plugin (versions <= 3.3.11).

Update the WordPress Sina Extension for Elementor plugin to the latest available version (at least 3.3.12).

Ultimate Addons For Elementor

wordpress vulnerability news

Elementor widgets, templates, and blocks.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.30.0
Number of sites affected: 600 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Ultimate Addons for Elementor premium plugin (versions <= 1.29.2).

Update the WordPress Ultimate Addons for Elementor premium plugin to the latest available version (at least 1.30.0).

Elementor Addon Elements

Elementor

Add more power to your Elementor page builder experience by using our 24+ easy-to-use widgets and extensions.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.11.2
Number of sites affected: 100 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Elementor Addon Elements plugin (versions <= 1.11.1).

Update the WordPress Elementor Addon Elements plugin to the latest available version (at least 1.11.2).

Essential Addons for Elementor

Elementor

Enhance your Elementor page-building experience with 70+ creative elements and extensions.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 4.5.4
Number of sites affected: 1+ million
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Essential Addons for Elementor plugin (versions <= 4.5.3).

Update the WordPress Essential Addons for Elementor plugin to the latest available version (at least 4.5.4).

Elementor – Header, Footer & Blocks Template

Elementor

Elementor editor gives you the flexibility to design beautiful sections.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.5.8
Number of sites affected: 1+ million
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Elementor – Header, Footer & Blocks Template plugin (versions <= 1.5.7).

Update the WordPress Elementor – Header, Footer & Blocks Template plugin to the latest available version (at least 1.5.8).

Premium Addons for Elementor

Elementor

55+ customizable Elementor essential addons and widgets, 300+ premade Elementor templates, and more.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 4.2.8
Number of sites affected: 400 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Premium Addons for Elementor plugin (versions <= 4.2.7).

Update the WordPress Premium Addons for Elementor plugin to the latest available version (at least 4.2.8).

Elements kit Elementor addons

wordpress vulnerability news

ElementsKit offers addons for Elementor Page Builder.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.2.0
Number of sites affected: 300 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Elements kit Elementor addons plugin (versions <= 2.1.7).

Update the WordPress Elements kit Elementor addons plugin to the latest available version (at least 2.2.0).

Livemesh Addons for Elementor

Elementor

Livemesh Addons for Elementor features a  collection of extensions that can be used in the Elementor page builder.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 6.8
Number of sites affected: 100 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Livemesh Addons for Elementor plugin (versions <= 6.7.1).

Update the WordPress Livemesh Addons for Elementor plugin to the latest available version (at least 6.8).

HT Mega

wordpress vulnerability news

HTMega is a absolute addons for elementor includes 80+ elements & 360 Blocks with unlimited variations.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.5.7
Number of sites affected: 70 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress HT Mega plugin (versions <= 1.5.5).

Update the WordPress HT Mega plugin to the latest available version (at least 1.5.7).

WooLentor

Elementor

Extend Elementor with 60+ creative Elementor widgets and extensions with PowerPack Elementor addons.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.8.6
Number of sites affected: 50 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress WooLentor plugin (versions <= 1.8.5).

Update the WordPress WooLentor plugin to the latest available version (at least 1.8.6).

PowerPack Addons for Elementor

Elementor

Extend Elementor with 60+ creative Elementor widgets and extensions with PowerPack Elementor addons.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.3.2
Number of sites affected: 50 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress PowerPack Addons for Elementor plugin (versions <= 2.3.1).

Update the WordPress PowerPack Addons for Elementor plugin to the latest available version (at least 2.3.2).

Image Hover Effects – Elementor Addon

Elementor

Set customized hover effects for your image.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.3.4
Number of sites affected: 40 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Image Hover Effects – Elementor Addon plugin (versions <= 1.3.3).

Update the WordPress Image Hover Effects – Elementor Addon plugin to the latest available version (at least 1.3.4).

Rife Elementor Extensions & Templates

Elementor

Responsive templates for your landing pages.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.1.6
Number of sites affected: 30 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress Rife Elementor Extensions & Templates plugin (versions <= 1.1.5).

Update the WordPress Rife Elementor Extensions & Templates plugin to the latest available version (at least 1.1.6).

The Plus Addons for Elementor Lite

wordpress vulnerability news

The Plus Addons for Elementor Lite give multiple options to edit WordPress sites with Elementor. 

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.0.6
Number of sites affected: 30 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress The Plus Addons for Elementor Page Builder Lite plugin (versions <= 2.0.5).

Update the WordPress The Plus Addons for Elementor Page Builder Lite plugin to the latest available version (at least 2.0.6).

All-in-One Addons for Elementor – WidgetKit

Elementor

WidgetKit provides the set of widgets for Elementor.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 2.3.10
Number of sites affected: 20 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress WidgetKit plugin (versions <= 2.3.9).

Update the WordPress WidgetKit plugin to the latest available version (at least 2.3.10).

JetWidgets For Elementor

wordpress vulnerability news

JetWidgets provides the set of widgets for Elementor for creating content. 

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.0.9
Number of sites affected: 10 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress JetWidgets For Elementor plugin (versions <= 1.0.8).

Update the WordPress JetWidgets For Elementor plugin to the latest available version (at least 1.0.9).

DethemeKit For Elementor

Detheme Widgets for Elementor.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 1.5.5.5
Number of sites affected: 9 000+
CVSS 3.0 score: 6.4 (medium)

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered by WordFence in WordPress DethemeKit For Elementor plugin (versions <= 1.5.5.4).

Update the WordPress DethemeKit For Elementor plugin to the latest available version (at least 1.5.5.5).

WP Login Security and History

Security features for WordPress login page. 

Vulnerability: Authenticated persistent XSS & XFS
Fixed in version: no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 6.2 (medium)

Vulnerability: Authenticated cross-site request forgery (CSRF)
Fixed in version: no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 5.2 (medium)

Multiple vulnerabilities discovered by m0ze in WordPress WP Login Security and History plugin (versions <= 1.0)

This plugin has been closed as of April 5, 2021, and is not available for download. This closure is temporary, pending a full review.

Content Copy Protection & Prevent Image Save

Protect your content from selection and copy.

Vulnerability: Authenticated persistent XSS & XFS
Fixed in version: no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 6.2 (medium)

Vulnerability: Authenticated cross-site request forgery (CSRF)
Fixed in version: no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 5.2 (medium)

Multiple vulnerabilities discovered by m0ze in WordPress Content Copy Protection & Prevent Image Save plugin (versions <= 1.3).

This plugin has been closed as of April 5, 2021, and is not available for download. This closure is temporary, pending a full review.

Imagements

This plugin lets users use images in the comment section.

Vulnerability: Unauthenticated arbitrary file upload leading to remote code execution (RCE)
Fixed in version: no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 9.8 (critical)

Unauthenticated Arbitrary File Upload leading to Remote Code Execution (RCE) vulnerability discovered by Jin Huang in WordPress Imagements plugin (versions <= 1.2.5).

Plugin closed. Deactivate and delete.

WP Page Builder

wordpress vulnerability news

WP Page Builder is a free drag and drop WordPress page builder to create websites easily.

Vulnerability: Multiple stored cross-site scripting (XSS) vulnerabilities
Fixed in version: 1.2.4
Number of sites affected: 10 000+ 
CVSS 3.0 score: 7.4 (high)

Vulnerability: Insecure default configuration
Fixed in version: 1.2.4
Number of sites affected: 10 000+ 
CVSS 3.0 score: 5.4 (medium)

Multiple vulnerabilities discovered by WordFence in WordPress WP Page Builder plugin (versions <= 1.2.3).

Update the WordPress WP Page Builder plugin to the latest available version (at least 1.2.4).

Advanced Custom Fields PRO

Create fields in your WordPress site.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 5.9.1
Number of sites affected: 1+ million
CVSS 3.0 score: 6.8 (medium)

Reflected cross-site scripting (XSS) vulnerability discovered by Juan David Ordoñez Noriega in WordPress Advanced Custom Fields PRO plugin (versions <= 5.9.0).

Update the WordPress Advanced Custom Fields PRO plugin to the latest available version (at least 5.9.1).

Advanced Booking Calendar

Booking Calendar for Accommodations. The easy way to manage your bookings and raise your occupancy rate.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 1.6.8
Number of sites affected: 5 000+
CVSS 3.0 score: 6.2 (medium)

Authenticated reflected cross-site scripting (XSS) vulnerability discovered by iohex in WordPress Advanced Booking Calendar plugin (versions <= 1.6.7).

Update the WordPress Advanced Booking Calendar plugin to the latest available version (at least 1.6.8).

Ivory Search

wordpress vulnerability news

Ivory Search is a simple to use advanced WordPress search plugin.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 4.6.1
Number of sites affected: 60 000+
CVSS 3.0 score: 7.4 (high)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jinson Varghese Behanan in WordPress Ivory Search plugin (versions <= 4.6).

Update the WordPress Ivory Search plugin to the latest available version (at least 4.6.1).

WooCommerce Customers Manager

WCCM expands your WooCommerce installation allowing you to easily retrieve all customers' stats, personal data, import, export, guest conversion, etc.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 26.7
Number of sites affected: 1 800+
CVSS 3.0 score: 6.2 (medium)

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScan Team in WordPress WooCommerce Customers Manager premium plugin (versions <= 26.6).

Update the WordPress WooCommerce Customers Manager premium plugin to the latest available version (at least 26.7).

Cooked Pro

A recipe plugin for WordPress.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.7.5.6
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jinson Varghese Behanan in WordPress Cooked Pro premium plugin (versions <= 1.7.5.5).

Update the WordPress Cooked Pro premium plugin to the latest available version (at least 1.7.5.6).

Goto - Tour & Travel WordPress theme

Goto is a theme for travel agency websites.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 2.0
Number of sites affected: 300+
CVSS 3.0 score: 7.4 (high)

Unauthenticated reflected cross-site scripting (XSS) vulnerability discovered by m0ze (Patchstack Red Team) in WordPress WordPress Goto premium theme (versions <= 1.9).

Update the WordPress WordPress Goto premium theme to the latest available version (at least 2.0).

Bello premium theme

wordpress vulnerability news

Bello is a premium WordPress theme professionally designed for directory & listing businesses.

Vulnerability: Unauthenticated SQL injection (SQLi)
Fixed in version: 1.5.8
The number of sites affected: 500+
CVSS 3.0 score: 7.5 (high)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.5.8
The number of sites affected: 500+
CVSS 3.0 score: 6.1 (medium)

There are unauthenticated reflected cross-site Scripting (XSS) and unauthenticated SQL injection (SQLi) vulnerabilities discovered by m0ze in the WordPress theme Bello - Directory & Listing (versions <= 1.5.7).

Update the WordPress Bello - Directory & Listing premium theme to the latest available version (at least 1.5.8).

March WordPress Vulnerability News

Findeo premium theme

Findeo is a WordPress real estate listing plugin.

Vulnerability: Authenticated insecure direct object references (IDOR)
Fixed in version: 1.3.1
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.3.1
Number of sites affected: N/A
CVSS 3.0 score: 7.4 (high)

Multiple vulnerabilities were discovered by m0ze (Patchstack Red Team) in the WordPress Findeo premium theme (versions <= 1.2.6).

Update the WordPress Findeo premium theme to the latest available version (at least 1.3.1).

WorkScout premium theme

A WordPress solution for recruiters and employment agencies.

Vulnerability: Cross-frame scripting (XFS)
Fixed in version: 2.0.32
Number of sites affected: N/A
CVSS 3.0 score: 6.1 (medium)

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 2.0.32
Number of sites affected: N/A
CVSS 3.0 score: 8.2 (high)

Multiple vulnerabilities were discovered by m0ze (Patchstack Red Team) in the WordPress WorkScout premium theme (versions <= 2.0.31).

Update the WordPress WorkScout premium theme to the latest available version (at least 2.0.32).

Listeo premium theme

Build a directory & classifieds website similar to Yelp, Airbnb, Booking.com, TripAdvisor, HomeAway.

Vulnerability: Multiple insecure direct object references (IDOR)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Vulnerability: Multiple authenticated persistent cross-site scripting (XSS)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 6.9 (medium)

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.6.11
Number of sites affected: N/A
CVSS 3.0 score: 8.2 (high)

Multiple vulnerabilities were discovered by m0ze (Patchstack Red Team) in the WordPress Listeo premium theme (versions <= 1.6.07).

Update the WordPress Listeo premium theme to the latest available version (at least 1.6.11).

Controlled Admin Access

Give a temporarily limited admin. access to themes designers, plugins developers, and support agents.

Vulnerability: Improper input validation leading to privilege escalation
Fixed in version: 1.5.6
Number of sites affected: 8 000+
CVSS 3.0 score: 8.1 (high)

Improper Input Validation leading to Privilege Escalation vulnerability discovered by NinTechNet in WordPress Controlled Admin Access plugin (versions <= 1.5.5).

Update the WordPress Controlled Admin Access plugin to the latest available version (at least 1.5.6).

Easy Form Builder

Easy Form Builder is a user-friendly form creator that allows you to create professional multistep forms within minutes.

Vulnerability: Unauthorized AJAX calls
Fixed in version: plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 6.5 (medium)

Unauthorized AJAX Calls vulnerability discovered by WPScan Team in WordPress Easy Form Builder plugin (versions <= 1.0).

Plugin closed. Deactivate and delete.

Quiz And Survey Master

Create quizzes, trivia quizzes, customer satisfaction surveys, and more.

Vulnerability: Authenticated SQL injection (SQLi)
Fixed in version: 7.1.14
Number of sites affected: 40 000+
CVSS 3.0 score: 8.1 (high)

Authenticated SQL injection (SQLi) vulnerability discovered by WPScan Team in WordPress Quiz And Survey Master plugin (versions <= 7.1.13).

Update the WordPress Quiz And Survey Master plugin to the latest available version (at least 7.1.14).

Patreon WordPress

Connect your WordPress site and your Patreon to increase your patrons and pledges.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 1.7.2
Number of sites affected: 5 000+
CVSS 3.0 score: 8.8 (high)

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Jetpack Scan team in WordPress Patreon WordPress plugin (versions <= 1.7.1).

Update the WordPress Patreon WordPress plugin to the latest available version (at least 1.7.2).

Facebook for WordPress

This plugin will install a Facebook Pixel for your page so you can capture the actions people take when they interact with your pages, such as Lead, ViewContent, AddToCart, InitiateCheckout, and Purchase events.

Vulnerability: Cross-site request forgery (CSRF) leading to stored cross-site scripting (XSS)
Fixed in version: 3.0.4
Number of sites affected: 500 000+
CVSS 3.0 score: 8.8 (high)

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by WordFence in WordPress Facebook for WordPress plugin (versions 3.0.0 – 3.0.3).

Update the WordPress Facebook for WordPress plugin to the latest available version (at least 3.0.4).

Vulnerability: PHP object injection vulnerability
Fixed in version: 3.0.0
Number of sites affected: 500 000+
CVSS 3.0 score: 10 (critical)

PHP Object Injection vulnerability discovered by WordFence in WordPress Facebook for WordPress plugin (versions <= 2.2.2).

Update the WordPress Facebook for WordPress plugin to the latest available version (at least 3.0.0).

Thrive themes - multiple vulnerabilities

Conversion-focused WordPress themes.

Storied

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Storied premium theme to the latest available version (at least 2.0.0).

Pressive

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Pressive premium theme to the latest available version (at least 2.0.0).

Performag

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Performag premium theme to the latest available version (at least 2.0.0).

Voice

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Voice premium theme to the latest available version (at least 2.0.0).

Squared

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Squared premium theme to the latest available version (at least 2.0.0).

Squared

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Minus premium theme to the latest available version (at least 2.0.0).

Focusblog

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Focusblog premium theme to the latest available version (at least 2.0.0).

Luxe

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Luxe premium theme to the latest available version (at least 2.0.0).

Ignition

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Ignition premium theme to the latest available version (at least 2.0.0).

Rise

Vulnerability: Unauthenticated arbitrary file upload and option deletion
Fixed in version: 2.0.0
Number of sites affected: N/A
CVSS 3.0 score: 10 (critical)

Update the WordPress Rise premium theme to the latest available version (at least 2.0.0).

Thrive plugins - multiple vulnerabilities

Conversion-focused WordPress plugins.

Thrive Dashboard

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Dashboard premium plugin to the latest available version (at least 2.3.9.3).

Thrive Architect

Vulnerability: Unauthenticated option update
Fixed in version: 2.6.7.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Architect premium plugin to the latest available version (at least 2.6.7.4).

Thrive Apprentice

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the Thrive Apprentice premium plugin to the latest available version (at least 2.3.9.4).

Thrive Quiz Builder

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Quiz Builder premium plugin to the latest available version (at least 2.3.9.4).

Thrive Ultimatum

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Ultimatum premium plugin to the latest available version (at least 2.3.9.4).

Thrive Leads Version

Vulnerability: Unauthenticated option update
Fixed in version: 2.3.9.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Leads Version premium plugin to the latest available version (at least 2.3.9.4).

Thrive Themes Builder

Vulnerability: Unauthenticated option update
Fixed in version: 2.2.4
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Themes Builder premium plugin to the latest available version (at least 2.2.4)

Thrive Headline Optimizer

Vulnerability: Unauthenticated option update
Fixed in version: 1.3.7.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Headline Optimizer premium plugin to the latest available version (at least 1.3.7.3).

Thrive Comments

Vulnerability: Unauthenticated option update
Fixed in version: 1.4.15.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Comments premium plugin to the latest available version (at least 1.4.15.3).

Thrive Optimize

Vulnerability: Unauthenticated option update
Fixed in version: 1.4.13.3
Number of sites affected: N/A
CVSS 3.0 score: 5.8 (medium)

Update the WordPress Thrive Optimize premium plugin to the latest available version (at least 1.4.13.3).

GiveWP – Donation Plugin and Fundraising Platform

A donation plugin for WordPress.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 2.10.0
Number of sites affected: 100 000+
CVSS 3.0 score: 6.1 (medium)

Reflected cross-site scripting (XSS) vulnerability discovered by Austin Bentley in WordPress GiveWP plugin (versions <= 2.9.7).

Update the WordPress GiveWP plugin to the latest available version (at least 2.10.0).

Controlled Admin Access

Give a temporary limited admin. access to themes designers, plugins developers, and support agents.

Vulnerability: Improper access control & privilege escalation vulnerability
Fixed in version: 1.5.2
Number of sites affected: 8 000+
CVSS 3.0 score: 8.3 (high)

Improper access control & privilege escalation vulnerability discovered by m0ze (Patchstack Red Team) in WordPress Controlled Admin Access plugin (versions <= 1.5.1).

Update the WordPress Controlled Admin Access plugin to the latest available version (at least 1.5.2).

Delightful Downloads

A downloads manager for WordPress.

Vulnerability: Path traversal vulnerability
Fixed in version: no known fix - plugin closed
Number of sites affected: N/A
CVSS 3.0 score: 7.5 (high)

This plugin has been closed as of June 11, 2020, and is not available for download. Reason: Security Issue.

BuddyPress

wordpress vulnerability news

BuddyPress helps you build a community website using WordPress.

Vulnerability: Privilege escalation vulnerability
Fixed in version: 7.2.1
Number of sites affected: N/A
CVSS 3.0 score: 7.6 (high)

Privilege escalation vulnerability discovered in WordPress BuddyPress plugin (versions <= 7.2.0).

Update the WordPress BuddyPress plugin to the latest available version (at least 7.2.1).

Elementor Website Builder

wordpress vulnerability news

A WordPress website builder.

Vulnerability: Multiple authenticated stored cross-site scripting (XSS)
Fixed in version: 3.1.4
Number of sites affected: 5+ million
CVSS 3.0 score: 6.4 (medium)

Multiple authenticated stored cross-site scripting (XSS) vulnerabilities were found by WordFence in the WordPress Elementor Website Builder plugin (versions <= 3.1.1).

Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.1.4).

WP Super Cache

This plugin generates static HTML files from your dynamic WordPress blog.

Vulnerability: Authenticated remote code execution (RCE)
Fixed in version: 1.7.2
Number of sites affected: 2+ million

Authenticated Remote Code Execution (RCE) vulnerability (settings page) discovered by m0ze (Patchstack Red Team) in WordPress WP Super Cache plugin (versions <= 1.7.1).

Update the WordPress WP Super Cache plugin to the latest available version (at least 1.7.2).

Tutor LMS – eLearning and online course solution

Tutor is a WordPress LMS plugin to create & sell courses online.

Vulnerability: Unprotected AJAX action to privilege escalation
Fixed in version: 1.7.7
Number of sites affected: 20 000+

Vulnerability: Multiple Blind/Time-based SQL Injection (SQLi) vulnerabilities
Fixed in version: 1.7.7
Number of sites affected: 20 000+

Vulnerability: Multiple union SQL injections (SQLi) vulnerabilities
Fixed in version: 1.8.3
Number of sites affected: 20 000+

Update the WordPress Tutor LMS plugin to the latest available version (at least 1.8.3).

The Plus Addons for Elementor

Collection of 100+ Elementor widgets, 18+ templates, 300+ UI blocks and more.

Vulnerability: Privilege escalation vulnerability
Fixed in version: no known fix
Number of sites affected: N/A

Privilege Escalation vulnerability found by Ville Korhonen in WordPress The Plus Addons for Elementor premium plugin (versions <= 4.1.6).

2021-03-09 - we were unable to find any information about the patched version of this plugin. We recommend deactivating and uninstall this software until the patched version is available.

Five Star Restaurant Menu

Create a responsive restaurant menu and a restaurant menu ordering system.

Vulnerability: Unauthenticated Remote Code Execution (RCE)
Fixed in version: 2.2.1
Number of sites affected: 10 000+

Unauthenticated Remote Code Execution (RCE) vulnerability discovered by Nick Blundell in WordPress Five Star Restaurant Menu plugin (versions <= 2.2.0).

Update the WordPress Five Star Restaurant Menu plugin to the latest available version (at least 2.2.1).

WooCommerce Upload Files premium

Upload any file any size from the product, cart, checkout, thank you, and/or order details pages. Preview images, add additional costs, fees, and many more options.

Vulnerability: Unauthenticated arbitrary file upload
Fixed in version: 59.4
Number of sites affected: 5 000+

Unauthenticated Arbitrary File Upload vulnerability found by WordFence in WordPress WooCommerce Upload Files premium plugin (versions <= 59.3).

Update the WordPress WooCommerce Upload Files premium plugin to the latest available version (at least 59.4).

User Profile Picture

wordpress vulnerability news

Set or remove a custom profile image for a user using the standard WordPress media upload tool.

Vulnerability: Sensitive information disclosure
Fixed in version: 2.5.0
Number of sites affected: 60 000+

Sensitive Information Disclosure vulnerability found by WordFence in WordPress User Profile Picture plugin (versions <= 2.4.0).

Update the WordPress User Profile Picture plugin to the latest available version (at least 2.5.0).

Forminator

WordPress form builder.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.14.8.1
Number of sites affected: 100 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Forminator plugin (versions <= 1.14.8).

Update the WordPress Forminator plugin to the latest available version (at least 1.14.8.1).

Dokan

Marketplace plugin for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2.1
Number of sites affected: 60 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Dokan plugin (versions <= 3.2.0).

Update the WordPress Dokan plugin to the latest available version (at least 3.2.1).

Defender Security – Malware Scanner, Login Security & Firewall

wordpress vulnerability news

WordPress security plugin.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.6.1
Number of sites affected: 50 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Defender Security plugin (versions <= 2.4.6).

Update the WordPress Defender Security plugin to the latest available version (at least 2.4.6.1).

Abandoned Cart Lite for WooCommerce

wordpress vulnerability news

Abandoned Cart Plugin helps you recover those carts from your WooCommerce shop.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 5.8.6
Number of sites affected: 30 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Abandoned Cart Lite for WooCommerce plugin (versions <= 5.8.5).

Update the WordPress Abandoned Cart Lite for WooCommerce plugin to the latest available version (at least 5.8.6).

Style Kits – Advanced Theme Styles for Elementor

wordpress vulnerability news

Style Kits for Elementor adds meaningful UI controls to Theme Styles for the most important variables of your layout system in Elementor.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.8.1
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress Style Kits plugin (versions <= 1.8.0).

Update the WordPress Style Kits plugin to the latest available version (at least 1.8.1).

WP ERP

wordpress vulnerability news

Company and business management solution for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 1.7.5
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP ERP plugin (versions <= 1.7.4).

Update the WordPress WP ERP plugin to the latest available version (at least 1.7.5).

WP Project Manager

wordpress vulnerability news

A project management and task management tool for WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 2.4.10
Number of sites affected: 10 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Project Manager plugin (versions <= 2.4.9).

Update the WordPress WP Project Manager plugin to the latest available version (at least 2.4.10).

WP Travel

WordPress Vulnerability News
WP Travel is a free travel engine for making customized travel and tour agency websites on WordPress.

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 4.4.7
Number of sites affected: 6 000+

Cross-Site Request Forgery (CSRF) vulnerability found by NintechNet in WordPress WP Travel plugin (versions <= 4.4.6).

Update the WordPress WP Travel plugin to the latest available version (at least 4.4.7).

February WordPress Vulnerability News

YITH WooCommerce Gift Cards Premium


Sell gift cards in your shop to increase your earnings and attract new customers.

Vulnerability: Arbitrary file upload to remote code execution (RCE)
Fixed in version: 3.3.1
Number of sites affected: 50 000+

Arbitrary File Upload to Remote Code Execution (RCE) vulnerability found by Guy Liu in WordPress YITH WooCommerce Gift Cards plugin (versions <= 3.3.0).

Update the WordPress YITH WooCommerce Gift Cards plugin to the latest available version (at least 3.3.1).

NextGEN Gallery Pro


Gallery plugin built for WordPress.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 3.1.11
Number of sites affected: 1+ million

Reflected Cross-Site Scripting (XSS) vulnerability found by Thura Moe Myint in WordPress NextGEN Gallery Pro premium plugin (versions <= 3.1.9).

Update the WordPress NextGEN Gallery Pro premium plugin to the latest available version (at least 3.1.11).

WordPress Mega Menu – QuadMenu


Mega Menu is designed for theme developers with customizable menu layouts and drag & drop fields.

Vulnerability: Remote code execution (RCE)
Fixed in version: 2.0.7
Number of sites affected: 20 000+

Remote Code Execution (RCE) vulnerability found by Mikel Gorraiz in WordPress QuadMenu plugin (versions <= 2.0.6).

Update the WordPress QuadMenu plugin to the latest available version (at least 2.0.7).

WP Private Content Plus


WP Private Content Plus simplifies the process for protecting your important WordPress site content from guests, members, specific user roles, or a group of selected users. 

Vulnerability: Cross-site request forgery (CSRF)
Fixed in version: 3.2
Number of sites affected: 8 000+

Cross-Site Request Forgery (CSRF) vulnerability found in WordPress WP Private Content Plus plugin (versions <= 3.1).

Update the WordPress WP Private Content Plus plugin to the latest available version (at least 3.2).

Custom Banners


Custom Banners is a WordPress plugin that allows you to easily manage several banners (ads) and display them on the front end.

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.3
Number of sites affected: 7 000+

Cross-Site Request Forgery (CSRF) vulnerability found by WPScan Team in WordPress Custom Banners plugin (versions <= 3.2.2).

Update the WordPress Custom Banners plugin to the latest available version (at least 3.3).

WordPress Backup and Migrate Plugin – Backup Guard

Backup Guard is a WordPress backup plugin.

Vulnerability: Authenticated arbitrary file upload vulnerability
Fixed in version: 1.6.0
Number of sites affected: 70 000+

Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh in WordPress Backup Guard plugin (versions <= 1.5.9).

Update the WordPress Backup Guard plugin to the latest available version (at least 1.6.0).

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Use Ninja Forms to create WordPress forms.

Vulnerability: Authenticated SendWP plugin installation and client secret key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Authenticated OAuth connection key disclosure vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Administrator open redirect vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Vulnerability: Cross-site request forgery (CSRF) vulnerability
Fixed in version: 3.4.34
Number of sites affected: 1+ million

Update the WordPress Ninja Forms Contact Form plugin to the latest available version (at least 3.4.34).

WP Ticket Customer Service Software & Support Ticket System

WP Ticket is a help desk software for WordPress.

Vulnerability: Cross-site scripting (XSS) 
Fixed in version: 5.6.0
Number of sites affected: 600+

Cross-Site Scripting (XSS) vulnerability found by WPScan security research team in WordPress WP Ticket Customer Service Software & Support Ticket System plugin (versions <= 5.5.1).

Update the WordPress WP Ticket Customer Service Software & Support Ticket System plugin to the latest available version (at least 5.6.0).

WordPress Vulnerability News - Conclusion

See the full list of vulnerabilities here.

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily.

Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated.

To be able to fight back, you have a small time window to take action. In such cases, the virtual patches have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

Patchstack gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our security engine is updated on a daily basis.

Websites with a Patchstack installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Start your 7-day free trial and join 50,000+ other developers
Get Patchstack
Share This Article
30-DAY MONEY BACK GUARANTEE

Start your free 7-day trial and join 50,000+ other businesses

Get started now
crossmenu